Open in app

Sign in

Write

Sign in

How to Enable MFA Delete for S3 Bucket

Zenesys Technosys
5 min readOct 29, 2021

--

In this blog post, We will learn to implement MFA Delete on the S3 bucket with the help of the S3 bucket Versioning feature.

S3 Bucket

Table of Contents

  • What is MFA Delete
  • Authentication Mechanism
  • Enable Versioning for S3 bucket
  • Enabling MFA on S3 Bucket
  • Setup Google Authenticator
  • Verification of MFA Delete

Key Notes

  • MFA Delete can be Enabled and Disabled only by the Root Account

What is MFA Delete?

MFA Delete is a feature using which we can secure the S3 Bucket and objects from Accidental deletion.

Multi-Factor Authentication adds a layer of security for

  • Change the versioning state of the objects
  • Permanent delete of the versioned objects

Authentication Mechanisms

To activate MFA Delete on the S3 buckets, The following authentication mechanisms are required.

  • Using Security Credentials
  • 6 digit code from an authentication device such as Google Authenticator
Google Authenticator

Enabling Versioning on S3 Bucket

S3 Versioning keeps multiple versions of the same file in a bucket which will help us to retrieve/restore the file from accidental deletion.

Versioning should be enabled on the S3 bucket for the MFA Delete to be activated.

Login to the S3 console and choose the S3 bucket for which MFA delete should be enabled.

Click on the S3 bucket name and Choose Properties

Under Bucket Versioning, Click Edit

Choose Enable and click Save changes

Versioning is enabled on the S3 bucket.

Setup Google Authenticator

MFA (Multiple Factor Authentication) is the process of confirming the identity of a user by using at least two different ways of authentication.

The most commonly used 2FA is setting up a password-based or SSH-based access and OTP (one-time-password) generated by a mobile application.

For this, We will be installing Google Authenticator in mobile and then we will configure MFA for the Root account, As we are going to use this MFA code to enable and disable MFA delete.

Checklist

To enable MFA Delete on the S3 bucket, We should have the following details and the setup.

  • Install AWS CLI with S3 Bucket access
  • S3 Bucket
  • MFA for Root Account

AWS CLI can be installed and configured on the Ubuntu operating system using the below command.

sudo apt-get install awscli -y

Execute the below command to configure AWS CLI on the system

AWS configure

The above command asks for the AWS Access Key and Secret access keys.

Activating MFA on Root

Login to the IAM console of the root account.

Click Enable MFA.

Click Activate MFA, Choose Virtual MFA device, click Continue

Click Show QR code and then scan the QR code with the help of the Google Authenticator app which is installed on your phone.

Enter the MFA codes (6 digit code) and then click Assign MFA

Once the device is assigned, You can find the virtual device is added under MFA.

You can find the Serial number for the added MFA device. Make a note of it, as it will be used to activate MFA Delete on the S3 bucket.

The next step is to create Access and Secret keys for the Root Account, As the MFA Delete, can be enabled and disabled only through AWS CLI, AWS SDK, or Amazon Web Services S3 RestAPI.

Click Access keys and then choose to Create New Access key

Once the key is generated, Download and keep it in a secure location.

With the help of the above, you can configure AWS CLI on your system.

Once the AWS CLI is configured, Run the below command to list the S3 buckets.

This is to verify that the AWS CLI is configured properly.

AWS s3 ls

The above command lists the S3 buckets available in your account.

Run the command, To verify the Versioning.

AWS s3api get-bucket-versioning –bucket singles3bucketaccess

Finally to Activate MFA Delete on the S3 Bucket, Execute the below command.

AWS s3api put-bucket-versioning –profile default –bucket singles3bucketaccess –versioning-configuration Status=Enabled,MFADelete=Enabled –MFA “arn:AWS:iam::012340000020:mfa/root-account-MFA-device 307641”

The above command performs the following,

put-bucket-versioning — which applies Versioning

— profile — It is the AWS CLI profile, By default the profile is default and you can check the profile under .aws folder and credentials file

–bucket — mention the name of the S3 bucket for which MFA should be enabled.

–MFA– Provide the Serial Number of the Root MFA

Finally, The six-digit code from the Google Authenticator.

We have successfully activated MFA Delete on the S3 bucket

Verification of MFA Delete

We can check whether the MFA Delete is enabled or disabled on S3 in two ways.

Using AWS S3 console :

Login to the S3 console, Choose the S3 bucket and click Properties.

Under Bucket Versioning, You can find that the Multi-factor authentication (MFA) delete is enabled.

Using AWS CLI

Execute the below command to check if MFA Delete is enabled or disabled.

AWS s3api get-bucket-versioning –bucket singles3bucketaccess

Disable MFA Delete

If you wish to disable MFA delete on the S3 bucket, Execute the below command.

aws s3api put-bucket-versioning –profile default –bucket singles3bucketaccess –versioning-configuration Status=Enabled,MFADelete=Disabled –mfa “arn:aws:iam::000000111110:mfa/root-account-mfa-device 520692”

MFA Delete is disabled for the S3 bucket.

We have successfully implemented a solution that adds a layer of security for the files stored in the S3 bucket.

AWS
AWS Lambda
Cloud Services

--

--

Zenesys Technosys
Zenesys Technosys

Written by Zenesys Technosys

44 Followers
163 Following

Zenesys is an 11-year-old IT Company based in the USA. Our key services: Mobile & Web Development, RPA, CMS, UI/UX & Cloud Services, etc. with the best solution

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams