How to Enable MFA Delete on S3 Bucket

By PreetiAWS, CLI, S3
How to Enable MFA Delete on S3 Bucket

How to Enable MFA Delete on S3 Bucket

S3 being one of the most popular object storage is the go to choice for customer of all size to store their data in cloud. But what about security of data?

In my previous post on, How to Enable Versioning on an S3 Bucket, we learnt that we can use AWS S3 versioning to protect our objects from accidental deletion and from being overridden.

As enabling versioning will keep all versions of files and in case of deletion it will add delete marker to the file. You won’t see the object while listing objects however in reality you can recover that anytime by deleting the delete marker.

Everything looks perfect right?

Now, imagine if someone gets hold of your bucket and deletes an object. You think, well I have versioning on and I can restore it. But what if the person deletes all version as well?

Well, Until unless you have the object locally, you will lose your object forever.

That’s not something we want right?

Therefore, AWS has a feature called MFA Delete which will address this problem.

Let’s see how…

What is MFA Delete feature?

MFA Delete is an additional layer of security on top of versioning that you can configure for your bucket. Once configured, you must provide a 6 digit code from the approved device apart from your security credentials to-

  • Permanently delete an object version
  • Suspend Bucket Versioning

This ensures that your objects are not accidently deleted in case of compromised credential or mishandling. Because the person who is deleting will be required to prove that he actually have the device configured for token and then only they can delete it.

Note : Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on S3 buckets.

Prerequisite:

  • AWS Account
  • MFA setup for your root user

Suggested Read: How to Setup MFA for Your Root Account

Steps to Enable MFA Delete on S3 Bucket

  • Login to Root Account
  • Create an S3 Bucket
  • Setup AWS CLI using Root Credentials
  • Check Versioning Status of Your Bucket
  • Enable MFA Delete
  • Verify If MFA Delete is Enabled
  • Test MFA Delete
  • Disable MFA Delete

Before we start the steps to enable MFA Delete on the bucket, I want you to know two things-

  1. Only bucket owner /root account(No admin allowed) can enable/disable MFA Delete
  2. You can’t enable MFA Delete using AWS Console and You must use AWS CLI

Lets get started

Step 1: Login to Root Account

Open AWS Management Console and login to your root account using your email Id and password.

How to Enable MFA Delete on S3 Bucket 1

Step 2: Create an S3 Bucket

Well, this step is completely optional. fI you are going to enable MFA Delete on an existing bucket, please feel free to skip to step 3.

Meanwhile, I will create a bucket with name: cloudkatha-s3-mfa-delete-demo for this post.

If you are new to AWS cloud, feel free to check my previous tutorial on How to Create an S3 Bucket in AWS Step By Step”

Step 3: Setup CLI using Root Credentials

By now, we know that MFA delete can only be enabled through CLI. And, on top of that, CLI needs to be configured using root credentials.

You might think of CloudShell as an option here as it’s really quick.

Are you thinking of CloudShell?

Please Don’t !!!!

MFA Delete setup using a CloudShell shell from root account also will not work and if you try you will get below error.

DevPay and Mfa are mutually exclusive authorization methods

Only option you have is to setup CLI locally using root credentials.

There are two steps in that.

1. Generate Access/Secret Key in Root Account

Lets generate a AccessKey/Secret key for root user(We will remove it by the end of the tutorial)

Click on your username on the top right corner of menu and then click My Security Credentials

Click on Access keys tab an then click Create New Access Key

Create new access key

Download Key file because we will need it in the next step to setup CLI using Root Credential

2.Install and Configure AWS CLI if you don’t have already

Use below command to setup a profile to use while setting up MFA Delete

aws configure --profile root-setup

Enter your access key/secret key and default region and you are done

In case you need help, check: How to Install and Configure AWS CLI on windows

Step 4: Check Versioning status of your bucket

As we know that MFA Delete can only be enabled when versioning is enabled, lets check versioning status of our bucket. If it’s not enabled, anyway you can do it while enabling MFA Delete.

aws s3api get-bucket-versioning --bucket bucketname --profile profilename

After replacing the bucket name and profile name, my command looks like below-

aws s3api get-bucket-versioning --bucket cloudkatha-s3-mfa-delete-demo --profile root-setup

If it doesn’t return any output means versioning is not enabled. Otherwise it returns following output

{
    "Status": "Enabled",
    "MFADelete": "Disabled"
}

Note: MFA delete works on Versioned S3 Buckets. So it makes sense to enable these two features (Bucket Versioning and MFA) at the same time.

Step 5: Enable MFA Delete

You need to keep few things handy for firing up the CLI command to enable MFA Delete on your bucket

  • Bucket Name: cloudkatha-s3-mfa-delete-demo
  • MFA ARN: Serial Number of MFA Device
  • Passcode: 6 digit code from your authenticator device(MFA)

Here is how you can find MFA ARN

Click on your Account Name –> Security Credentials –> MFA –> Serial Number

Grab the serial number, that’s the MFA ARN we are looking for.

How to Enable MFA Delete on S3 Bucket 2

We have all the info. So lets see the command that will we need to use to enable MFA Delete.

aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

After replacing the above command, resulting command looks like below-

aws s3api put-bucket-versioning --bucket cloudkatha-s3-mfa-delete-demo --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::12345678910:mfa/root-account-mfa-device 948960"

Once you hit enter, you don’t get any response back. So let’s validate it by checking versioning status of bucket again

Step 6: Verify If MFA delete is enabled

As we saw earlier that checking bucket versioning status, it shows MFA Delete status as well. So let’s check the versioning status of bucket again.

aws s3api get-bucket-versioning --bucket cloudkatha-s3-mfa-delete-demo --profile root-setup

As you can see, both bucket versioning and MFA Delete is enabled on my bucket now.

Step 7: Test MFA delete

The simplest way to test this would be to try to delete a specific version of an object.

You can check all versions of an object by- 

aws s3api list-object-versions --profile profile-name -–bucket bucket-name -–key test.txt

After replacing bucket and profile name, it looks like below-

aws s3api list-object-versions --profile root-setup -–bucket cloudkatha-s3-mfa-delete-demo -–key test.txt

Once you hit the command, you get response like –

{
    "IsTruncated": false,
    "KeyMarker": "test.txt",
    "VersionIdMarker": "",
    "Versions": [
        {
            "ETag": "\"0b26e313ed4a7ca6904b0e9369e5b957\"",
            "Size": 19,
            "StorageClass": "STANDARD",
            "Key": "version-1.txt",
            "VersionId": "1WbM5Sgmn_fltBmTPDkDPIudXsV06Nk7",
            "IsLatest": true,
            "LastModified": "2021-12-01T15:45:33+00:00",
            "Owner": {
                "DisplayName": "XXXXXXX",
                "ID": "8ddc41409f69ca79602465bfd60574fe8eb65cf736bcee2e2ee5c858f6b2ac55"
            }
        }
    ],
    "Name": "cloudkatha-s3-mfa-delete-demo",
    "Prefix": "",
    "MaxKeys": 1000,
    "EncodingType": "url"
}

In response, you will see all the versions of specified object. Use a version Id from above that you want to delete.

As you can see above it errored out saying Mfa must be used.

Let’s try to delete with MFA.

aws s3api delete-object --profile root-setup --bucket cloudkatha-s3-mfa-delete-demo --version-id 1WbM5Sgmn_fltBmTPDkDPIudXsV06Nk7 --key test.txt --mfa "arn:aws:iam::12345678910:mfa/root-account-mfa-device 689891"

This time you won’t get any error. It means that that version of object was deleted. You will see response as shown above.

Note: Please note that, you can delete the objects using root account only. Using any other user will return NotDeviceOwnerError.

Step 8: Disable MFA Delete Feature

If you need to disable MFA Delete on your bucket use command like below.

aws s3api put-bucket-versioning --profile root-setup --bucket cloudkatha-s3-mfa-delete-demo --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::672607396920:mfa/root-account-mfa-device 948960"

Once you hit enter, you wont get any response back but you can confirm the status by running get-bucket-versioning again.

Cleanup

We created access keys/secret key while setting up CLI for root account. It’s time to delete them. As you should ideally never ever create access/secret key for your root account as it has God like power. So let’s delete them.

Go to Account Name -> Security Credential -> Access Key

Click Delete as shown in below screenshot to delete the access key.

It’s deleted and we are good to go!!!

Conclusion

In this post we learnt “How to Enable MFA Delete on S3 Bucket“. We have seen how to add an extra security layer to the S3 objects by enabling MFA for deletion of S3 objects.

We also learnt that MFA delete can only be enabled by root user and from CLI only.

I hope this post was helpful to you. If you get stuck at any time feel free to add a comment. I will reply to your query asap.

Enjoyed the content?

Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.

If you liked reading my post, you can motivate me by-

Suggested Read:

Leave a Reply

Your email address will not be published. Required fields are marked *