CloudTrail Bucket MFA Delete Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CT-004

Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS


Using an MFA-protected bucket for AWS CloudTrail will enable the ultimate layer of protection to ensure that your versioned log files cannot be accidentally deleted or intentionally deleted in case your access credentials are compromised.

Note: Only the S3 bucket owner (the AWS root account) can enable MFA Delete feature and perform DELETE actions for the CloudTrail logging bucket.


To determine if your CloudTrail logging bucket has MFA Delete enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under Storage Location section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log files.

06 Navigate to S3 dashboard at

07 Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, under the bucket Owner name, search for the MFA Delete status. If the feature status is not displayed at all (bucket object versioning is disabled) or the current status is Not Enabled, the S3 bucket selected is not MFA-protected.


01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in your AWS region:

aws cloudtrail describe-trails

02The command output should expose the name of each S3 bucket used to store log files by the AWS CloudTrail:

    "trailList": [
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"

03Run get-bucket-versioning command (OSX/Linux/UNIX) to determine if your CloudTrail bucket has object versioning enabled. Versioning is a method of keeping multiple variations of an object (in this case an object is a log file) in the same bucket. Since MFA Delete requires bucket versioning as dependency, you cannot use the feature without versioning enabled. If the following command does not return any output, the versioning is not active, hence the MFA Delete is not enabled for selected bucket:

aws s3api get-bucket-versioning
	--bucket cloudtrail-global-logging

Remediation / Resolution

To enable MFA Delete protection for your CloudTrail logging bucket via AWS CLI, perform the following:

Note: enabling it via AWS Management Console is not currently supported


01 You need to enable MFA Delete at the same time when you set the versioning state for your bucket. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket. Use the MFA device enabled for your AWS root account and replace the highlighted details with your own details: the --mfa parameter value should have the following format: arn:aws:iam::aws_account_id:mfa/root-account-mfa-device mfa_device_passcode

aws s3api put-bucket-versioning
	--bucket cloudtrail-global-logging
	--versioning-configuration MFADelete=Enabled,Status=Enabled
	--mfa 'arn:aws:iam::123456789012:mfa/root-account-mfa-device 993475'

02 Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if versioning and MFA delete protection were enabled:

aws s3api get-bucket-versioning
	--bucket cloudtrail-global-logging

03 If enabled, the command output should look like the following:

  "MFADelete": "Enabled",
  "Status": "Enabled"

04 Once the MFA Delete feature is enabled, for each DELETE request you must provide your MFA token: the MFA serial number (the full ARN associated with the device) and the generated passcode. To test this feature, try to delete a CloudTrail log file object version with and without the MFA token:

  1. Run list-object-versions command (OSX/Linux/UNIX) to return version information for a CloudTrail log file called my-cloudtrail-log.json.gz available in the selected bucket:
    aws s3api list-object-versions
    	--bucket cloudtrail-global-logging
    	--key my-cloudtrail-log.json.gz
  2. The command output should return each version ID for the log file:
        "LastModified": "2016-04-14T10:51:05.000Z",
        "VersionId": "lftlddyQBw1v7y68Z42UBSEWZodwGQBQ",
        "ETag": "\"07b921ba540251657f5c01eb38e1f074\"",
        "StorageClass": "STANDARD",
        "Key": "my-cloudtrail-log.json.gz",
        "Owner": {
            "DisplayName": "john.doe",
            "ID": "718f3e58089ec3bd00296f84056525d
        "IsLatest": false,
        "Size": 4386
  3. Run s3api delete-object command (OSX/Linux/UNIX) without MFA authentication and try to delete the selected log file version:
    aws s3api delete-object
    	--bucket cloudtrail-global-logging
    	--version-id '9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL'
    	--key my-cloudtrail-log.json.gz
  4. Without MFA authentication, the command output should return an error message (access denied error) like the following:
    A client error (AccessDenied) occurred: Mfa Authentication must be used for this request. 
    You can see that it will not let you delete an object version without MFA authentication.
  5. Now run s3api delete-object command (OSX/Linux/UNIX) with MFA authentication to delete the selected CloudTrail log file version (replace the highlighted details with your own details):
    aws aws s3api delete-object
    	--bucket cloudtrail-global-logging 
    	--mfa 'arn:aws:iam::123456789012:mfa/root-account-mfa-device 058452' 
    	--version-id '9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL' 
    	--key my-cloudtrail-log.json.gz
  6. With MFA authentication, the command output should return the version ID of the delete marker:
      "VersionId": "9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL",
      "DeleteMarker": true


Publication date Apr 14, 2016

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

CloudTrail Bucket MFA Delete Enabled

Risk level: High