Ensure that your AWS S3 buckets are using Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using MFA-protected S3 buckets will enable an extra layer of protection to ensure that the S3 objects (files) cannot be accidentally or intentionally deleted by the AWS users that have access to the buckets.
Note: Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on S3 buckets.
To determine if your S3 buckets have MFA Delete feature enabled, perform the following:
Remediation / Resolution
To enable MFA Delete protection for your S3 buckets via AWS CLI (enabling it via AWS Management Console is not currently supported), perform the following:
- AWS Documentation
- Amazon S3 FAQs
- AWS Identity and Access Management FAQs
- Multi-Factor Authentication
- Protecting Data in Amazon S3
- Using Versioning
- Deleting Objects
- Deleting Object Versions
- Using MFA Delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
S3 Bucket MFA Delete Enabled
Risk level: Low