Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using an MFA-protected bucket for AWS CloudTrail will enable the ultimate layer of protection to ensure that your versioned log files cannot be accidentally deleted or intentionally deleted in case your access credentials are compromised.
Note: Only the S3 bucket owner (the AWS root account) can enable MFA Delete feature and perform DELETE actions for the CloudTrail logging bucket.
To determine if your CloudTrail logging bucket has MFA Delete enabled, perform the following:
Remediation / Resolution
To enable MFA Delete protection for your CloudTrail logging bucket via AWS CLI, perform the following:Note: enabling it via AWS Management Console is not currently supported
- AWS Documentation
- AWS Identity and Access Management FAQs
- Multi-Factor Authentication
- Protecting Data in Amazon S3
- Using Versioning
- Deleting Objects
- Deleting Object Versions
- Using MFA Delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudTrail Bucket MFA Delete Enabled
Risk level: High