A complete Overview & Hands-On for
Scope:
- Intro,
- The Concept: MFA Delete,
- Setup Prerequisites,
- Steps to Enable MFA Delete (CLI / UI),
- Benefits,
- Limitations,
- Use Cases,
- Best Practices,
- Project: Hands-On.
Intro:
The Concept: MFA
Delete
- MFA Delete is a security feature in Amazon S3 that requires
multi-factor authentication (MFA) for specific actions to prevent
accidental or malicious deletion of data.
Specifically, it
requires MFA for:
- Permanent deletion of a version in a versioned bucket.
- Disabling versioning
on a bucket.
NB:
MFA Delete adds a second layer of
protection, ensuring that even if someone has access to twtech credentials, they
can’t delete critical data without the physical MFA device.
Setup Prerequisites
- Bucket must have versioning enabled
- Root user access
(MFA Delete can only be enabled via the AWS root account)
Steps to Enable MFA Delete
- MFA Delete cannot be enabled through the AWS Management Console.
- MFA Delete must be done using the AWS CLI and by the root user.
- Enable versioning and MFA Delete using AWS CLI:
# bash
aws
s3api put-bucket-versioning \
--bucket twtech-s3bucket \
--versioning-configuration
Status=Enabled,MFADelete=Enabled \
--mfa "arn-of-the-mfa-device
mfa-code"
- Example MFA ARN and Code:
# bash
--mfa "arn:aws:iam::accountID:mfa/root-account-mfa-device twtech123456"
Benefits
|
Benefit |
Description |
|
Enhanced protection |
Prevents accidental or
unauthorized permanent deletions. |
|
Mitigates insider threats |
Adds a second factor even if an
IAM user is compromised. |
|
Supports compliance |
Helpful for regulatory
requirements regarding data protection. |
|
Applies to critical actions |
Only affects the most sensitive
operations (permanent deletion, disabling versioning). |
Limitations
|
Limitation |
Description |
|
Only root user can enable |
Requires AWS account root user,
not IAM users. |
|
Not supported in AWS Console |
Must use AWS CLI to manage. |
|
Applies only to versioned buckets |
MFA Delete has no effect if
versioning is off. |
|
Cannot restrict to IAM users |
MFA Delete only works with root
user MFA. |
|
Operational complexity |
Slows down legitimate deletion
operations (intentionally). |
|
Limited automation |
Not suitable for programmatic
deletes unless MFA is somehow integrated securely. |
Use Cases
|
Use Case |
Description |
|
Protecting critical backups |
Prevents accidental or
unauthorized deletion of backup files. |
|
Long-term compliance data |
Ensures regulatory or archival
data isn’t removed without oversight. |
|
Highly sensitive data |
Extra layer of security for data
with high confidentiality needs. |
|
Ransomware/insider protection |
Blocks deletion of all data even
if credentials are compromised. |
twtech Best Practices
- Combine with versioning for full rollback capability.
- Enable MFA on the root account and store the MFA device securely.
- Use MFA Delete only on buckets storing critical or
regulated data.
- Use lifecycle policies with caution – they are not subject to MFA Delete.
Project: Hands-on
How twtech enables the MFA delete to prevent accidental deletion of objects from bucket by junior engineers or malicious attacks.
Step-by-Step:
- twtech Creates a bucket called: twtech-mfa-delete
- twtech Assigns a name: twtech-mfa-no-delete
- twtech Enables bucket versioning:
- twech Creates bucket: twtech-mfa-no-delete
- twtech Goes to the buckets, select, click open and navigate to
the properties tab: twtech-mfa-no-delete
- Under bucket properties , twtech navigates to bucket versioning: To edit Multi-factor authentication (MFA) delete
From: Disabled
- twtech verifies status: as at june 26/2025, aws does not allow MFA delete to be enable from console(GUI).
- twtech enables the MFA delete with: CLI
- The prerequisite to enable MFA delete is: To
have the IAM access that can allow twtech root-user to run the commands.
- twtech Must be login as:
root user.
- twtech Goes to accout/security
credentials console to create a policy: twtech-iam-mfa-no-delete
- Under Multi-factor authentication (MFA): twtech assigns a MFA device.
- twtech Selects the method of authentication: Authicator
app (Duo Moblie already downloaded and installed on the device)
- twtech Clicks on show QR code:
From
To:
- twtech Scans the QR code with Duo Mobile app from device and: copies and insert two conservative codes generated from the authentication app
- twech root-user need aws access key to use in enabling MFA delete via: CLI
NB:
- twtech root-user Never share the root access key with anyone: Never
- twtech Login to acccount to use CloudShell to setup the profile: CLI
- twtech Configures MFA-delete-profile:
- twtech Verifies with a Command to test if the profile is working ( list s3 buckets in the account):
Yes, successful
- twtech Also verify whether the profile just created can be queried as well:
Yes: Successful
- twtech enables MFA-delete using the CLI: Command
Line Interface
NB:
To enable MFA Delete on an Amazon S3 bucket, twtech must use the AWS CLI (it cannot be enabled via the AWS Management Console).
Here’s how twtech does it:
Prerequisites
- twtech must enable versioning on the
bucket.
- twtech user must be the root user of the
AWS account.
- twtech root user must have MFA
enabled and configured.
Command to Enable MFA Delete
# bash
aws s3api put-bucket-versioning
--bucket twtech-mfa-delete \
--versioning-configuration
Status=Enabled,MFADelete=Enabled \
--mfa "arn:aws:iam::accounID:mfa/twtech-iam-mfa-delete 821766" \
--profile root-twtech-iam-mfa-delete
# Or
aws s3api put-bucket-versioning --bucket twtech-mfa-delete --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::accounID:mfa/twtech-iam-mfa-delete 821766" --profile root-twtech-iam-mfa-delete
NB:
The MFA code generated from device (Duo mobile) changes ever 30seconds: 821766
- twtech verifies that MFA delele is eventually enabled for the bucket: twtech-mfa-delete
- twtech Goes to bucket properties, refesh page and navigate to: Multi-factor authentication (MFA) delete
Yes:
successfully twtech has configured and
enabled MFA delete in its bucket.
NB,
- if twtech uploads an object and delete, it will not be deleted the delete marker version, unless MFA delete is disenable for the set bucket: with the commands that follow.
- twtech Uploads a file and
try to delete: select the file to upload
- twtech Upload the file:
twtech Attempts to delete the
object in set bucket with MFA delete : enabled
Yes,
- Object is Deleted from the bucket but a delete marker version is created because versioning was also enable.
- twtech can subsequently use the delete marker generated for Disaster Recovery
- twtech verifies verisons of object in
bucket, including delete marker version
From:
To:
- twtech Attempts to delete the
delete marker: when mfa delete is enabled
Impossible to delete object in the set twtech bucket
- The Message says: twtech can’t permanently delete the object version because mfa delete is enabled
- Next twtech disable mfa delete to permanently delete any unwanted object version from its bucket via: CLI
From:
To:
- The Command to Disable MFA Delete: remember to update the MFA code
aws s3api put-bucket-versioning --bucket twtech-mfa-delete --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::accountID:mfa/twtech-iam-mfa-delete 039191" --profile root-twtech-iam-mfa-delete
# or:
# bash
aws s3api
put-bucket-versioning --bucket twtech-mfa-delete \
--versioning-configuration
Status=Enabled,MFADelete=Disabled \
--mfa "arn:aws:iam::accountID:mfa/twtech-iam-mfa-delete 039191" \
--profile root-twtech-iam-mfa-delete
- twtech verifies that the
MFA delete has been disabled.
- twtech Goes to bucket property and refresh page:
From:
To:
- Refresh page
- twtech eventually can delete object versions with MFA delete: disabled
Successfully, twtech has been able to configure MFA delete to protect its objects in twtech-s3buckets
Addendum:
- twtech may Finds its MFA Device ARN:
- twtech can list the MFA devices for its root account using:
# bash
aws iam list-mfa-devices
No comments:
Post a Comment