A complete explanation of Amazon S3 – MFA Delete, including its concept,
setup, benefits, limitations, and use cases:
Concept: MFA
Delete
MFA Delete is a security feature in Amazon S3 that requires
multi-factor authentication (MFA) for specific actions to prevent
accidental or malicious deletion of data.
Specifically, it
requires MFA for:
- Permanent deletion of a version in a versioned bucket.
- Disabling versioning
on a bucket.
MFA Delete adds a second layer of
protection, ensuring that even if someone has access to your credentials, they
can’t delete critical data without the physical MFA device.
Setup
Prerequisites
- Bucket must have versioning enabled
- Root user access
(MFA Delete can only be enabled via the AWS root account)
Steps to Enable MFA Delete
MFA Delete cannot be enabled through
the AWS Management Console or AWS CLI. It must be done using the AWS
CLI and the root user.
- Enable versioning and MFA Delete using AWS CLI:
# bash
aws
s3api put-bucket-versioning \
--bucket twtech-s3bucket \
--versioning-configuration
Status=Enabled,MFADelete=Enabled \
--mfa "arn-of-the-mfa-device
mfa-code"
- Example MFA ARN and Code:
# bash
--mfa "arn:aws:iam::12345678xxxx:mfa/root-account-mfa-device 123456"
Benefits
|
Benefit |
Description |
|
Enhanced protection |
Prevents accidental or
unauthorized permanent deletions. |
|
Mitigates insider threats |
Adds a second factor even if an
IAM user is compromised. |
|
Supports compliance |
Helpful for regulatory
requirements regarding data protection. |
|
Applies to critical actions |
Only affects the most sensitive
operations (permanent deletion, disabling versioning). |
Limitations
|
Limitation |
Description |
|
Only root user can enable |
Requires AWS account root user,
not IAM users. |
|
Not supported in AWS Console |
Must use AWS CLI to manage. |
|
Applies only to versioned buckets |
MFA Delete has no effect if
versioning is off. |
|
Cannot restrict to IAM users |
MFA Delete only works with root
user MFA. |
|
Operational complexity |
Slows down legitimate deletion
operations (intentionally). |
|
Limited automation |
Not suitable for programmatic
deletes unless MFA is somehow integrated securely. |
Use Cases
|
Use Case |
Description |
|
Protecting critical backups |
Prevents accidental or
unauthorized deletion of backup files. |
|
Long-term compliance data |
Ensures regulatory or archival
data isn’t removed without oversight. |
|
Highly sensitive data |
Extra layer of security for data
with high confidentiality needs. |
|
Ransomware/insider protection |
Blocks deletion of all data even
if credentials are compromised. |
twtech Best Practices
- Combine with versioning for full rollback capability.
- Enable MFA on the root account and store the MFA device securely.
- Use MFA Delete only on buckets storing critical or
regulated data.
- Use lifecycle policies with caution – they are not subject to MFA Delete.
Project: Hands-on
How twtech uses the MFA delete to prevent accidental
deletion of objects from bucket or malicious attacks.
Create a bucket called: twtech-mfa-delete
Assign a name: twtech-mfa-delete
Enable bucket versioning:
Create bucket: twtech-mfa-delete
Go to the buckets, select, click open and navigate to
the properties tab: twtech-mfa-delete
Under bucket properties , navigate to bucket versioning:
To edit Multi-factor authentication (MFA) delete
From: Disabled
To view statu: as at june 26/2025, aws does not allow
MFA delete to be enable from console(GUI).
However, twtech enables the MFA delete with: CLI
The prerequisite to enable MFA delete is: To
have the IAM access that can allow the commands to be run.
Must be login as:
root user.
Go to accout/security
credentials console to create a policy: twtech-iam-mfa-delete
Under Multi-factor authentication (MFA): assign MFA device.
Select the method of authentication: Authicator
app (Duo Moblie already downloaded and installed on the device)
Click on show QR code:
From
To:
Scan the QR code with Duo Mobile app from device and: insert two conservative codes generated from the authentication app
We need aws access key to use in enabling MFA delete via: CLI
NB:
Never share the root access key with anyone: Never
Login via CloudShell and setup the profile: aws configure --profile
root-twtech-iam-mfa-delete
Configure MFA-delete-profile:
Verifiable Command to test if the profile is working(
list s3 buckets in the account): aws s3 ls
Yes, successful
Also verify whether the profile just create can be
queried as well: aws s3 ls --profile root-twtech-iam-mfa-delete
How twtech enables MFA-delete using the CLI: Command
Line Interface
To enable MFA Delete on an Amazon
S3 bucket, you must use the AWS CLI (it cannot be enabled via the AWS
Management Console). Here’s how to do it:
Prerequisites
- twtech must enable versioning on the
bucket.
- twtech must use the root user of the
AWS account.
- The root user must have MFA
enabled and configured.
Command to Enable MFA Delete
# bash
aws s3api put-bucket-versioning
--bucket twtech-mfa-delete \
--versioning-configuration
Status=Enabled,MFADelete=Enabled \
--mfa "arn:aws:iam::98xxxxxxxxxxxx:mfa/twtech-iam-mfa-delete 821766" \
--profile root-twtech-iam-mfa-delete
# Or
aws s3api put-bucket-versioning --bucket twtech-mfa-delete --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::98xxxxxxxxxxx:mfa/twtech-iam-mfa-delete 821766" --profile root-twtech-iam-mfa-delete
NB:
The MFA code generated from device
changes ever 30seconds: 821766
How twtech verifies that MFA delele is eventually enabled for the bucket: twtech-mfa-delete
Go to bucket properties, refesh page and navigate to: Multi-factor authentication (MFA) delete
Yes:
successfully twtech has configured and
enabled MFA delete in its bucket.
NB,
if twtech uploads an object and delete, it will not be deleted the delete marker version, unless MFA delete is disenable : with the commands that follow.
twtech Uploads a file and
try to delete: select the file to upload
Upload the file:
Attempting to delete the
object in bucket with MFA delete : enabled
Yes,
Object is Deleted from the bucket but
a delete marker version is created because versioning was also enable:
Show verison of object in
bucket ( including delete marker version)
From:
To:
Attempting to delete the
delete marker: when mfa delete is enabled
The Message says: twtech can’t permanently delete the object version because mfa delete is enabled
How twtech disable mfa
delete to permanently delete an object version from its bucket via: CLI
From:
To:
The Command to Disable MFA
Delete: remember to update the MFA code
aws s3api put-bucket-versioning --bucket twtech-mfa-delete --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::98xxxxxxxxxxx:mfa/twtech-iam-mfa-delete 039191" --profile root-twtech-iam-mfa-delete
# or:
# bash
aws s3api
put-bucket-versioning --bucket twtech-mfa-delete \
--versioning-configuration
Status=Enabled,MFADelete=Disabled \
--mfa "arn:aws:iam::98xxxxxxxxxxxx:mfa/twtech-iam-mfa-delete 039191" \
--profile root-twtech-iam-mfa-delete
How twtech verifies that the
MFA delete has been disabled.
Go to bucket property and refresh page:
From:
To: refresh page
How twtech eventually can
delete object versions with MFA delete: disabled
Successfully, twtech has been able to configure MFA delete to protect its objects in twtech-s3buckets
Addendum:
How twtech may Finds
its MFA Device ARN:
twtech can list the MFA devices for its root account using:
# bash
aws iam list-mfa-devices
No comments:
Post a Comment