A Guide for Enabling MFA Delete for Amazon S3 Buckets

Overview

In today’s digital world, securing sensitive data is of utmost importance. Cybersecurity threats, including unauthorized access and data breaches, are evolving and becoming more sophisticated. To safeguard your data, it’s crucial to implement strong security measures, and Multi-Factor Authentication (MFA) is one such effective measure.

The critical security feature, multi-factor authentication (MFA), further protects sensitive data. MFA helps ensure that only authorized users can access your data by requiring them to provide additional authentication factors beyond just a username and password.

Amazon S3 is a highly scalable cloud storage service offered by Amazon Web Services (AWS) that allows users to store and retrieve data anywhere on the web. This blog will explore how to set up MFA with Amazon S3 to secure your data.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction to MFA

MFA is a security protocol that requires users to provide two or more authentication factors to access their accounts. Typically, the authentication factors include something the user knows (such as a password) and something the user has (such as a security token). MFA makes it more difficult for hackers to access your account since they need to obtain both the password and the security token.

Steps to Set up MFA with Amazon S3

To set up MFA with Amazon S3, you will need an AWS account, an MFA device, and the AWS Command Line Interface (CLI) installed on your local machine. Follow these steps to set up MFA with Amazon S3:

Step 1: Log in to Root Account

Step 2: Create an Amazon S3 Bucket

Step 3: Setup CLI using Root Credentials

Download & Install AWS CLI.

step3

Set up AWS account through CLI with Access Key & Secret Key.

step3b

aws configure --profile root-setup

1	aws configure --profile root-setup

Step 4: Verify your bucket’s versioning status

CLI Command

aws s3api get-bucket-versioning --bucket bucketname --profile profilename

1	aws s3api get-bucket-versioning --bucket bucketname --profile profilename

step4

Step 5: Enable MFA Delete

MFA ARN

Account Name -> MFA -> Serial Number

step5

CLI Command

aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

Step 6: Make sure MFA delete is turned on

CLI Command

aws s3api get-bucket-versioning --bucket bucket-name --profile profilename

1	aws s3api get-bucket-versioning --bucket bucket-name --profile profilename

Step 7: Test MFA delete

CLI Command

aws s3api delete-object --profile profilename --bucket bucket-name --version-id Q6U65OqQo46m7qtNzwi21qaSwCvRTg5o --key objectname --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api delete-object --profile profilename --bucket bucket-name --version-id Q6U65OqQo46m7qtNzwi21qaSwCvRTg5o --key objectname --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

CLI Command

aws s3api put-bucket-versioning --profile profilename --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa " arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api put-bucket-versioning --profile profilename --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa " arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

Conclusion

Securing sensitive data is of utmost importance in today’s digital world. Multi-Factor Authentication (MFA) is an effective measure that adds an extra layer of security to your accounts. Enabling MFA with Amazon S3, a widely used cloud storage service, can significantly enhance the security posture of your data stored in the cloud.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. How does MFA work with Amazon S3?

ANS: – When you enable MFA for your Amazon S3 bucket, any request to delete an object requires security credentials (access key and secret access key) and a valid MFA code. This means that even if an attacker gains access to your security credentials, they cannot delete objects from your Amazon S3 bucket without the corresponding MFA device.

2. What happens if I lose my MFA device?

ANS: – If you lose your MFA device, you may not be able to delete objects from your Amazon S3 bucket until you either replace the device or disable MFA Delete for the bucket. To avoid this scenario, setting up a backup MFA device when you first enable MFA Delete is a good practice.

3. Can I enable MFA for an existing Amazon S3 bucket?

ANS: – Yes, you can enable MFA for an existing Amazon S3 bucket. However, you must first ensure that versioning is enabled for the bucket, as MFA Delete only works with versioned buckets. Once versioning is enabled, you can enable MFA Delete for the bucket using the AWS Management Console or AWS CLI.

WRITTEN BY Shaikh Mohammed Fariyaj Najam

Mohammed Fariyaj Shaikh works as a Research Associate at CloudThat. He has strong analytical thinking and problem-solving skills, knowledge of AWS Cloud Services, migration, infrastructure setup, and security, as well as the ability to adopt new technology and learn quickly.