A Guide for Enabling MFA Delete for Amazon S3 Buckets

Overview

In today’s digital world, securing sensitive data is of utmost importance. Cybersecurity threats, including unauthorized access and data breaches, are evolving and becoming more sophisticated. To safeguard your data, it’s crucial to implement strong security measures, and Multi-Factor Authentication (MFA) is one such effective measure.

The critical security feature, multi-factor authentication (MFA), further protects sensitive data. MFA helps ensure that only authorized users can access your data by requiring them to provide additional authentication factors beyond just a username and password.

Amazon S3 is a highly scalable cloud storage service offered by Amazon Web Services (AWS) that allows users to store and retrieve data anywhere on the web. This blog will explore how to set up MFA with Amazon S3 to secure your data.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction to MFA

MFA is a security protocol that requires users to provide two or more authentication factors to access their accounts. Typically, the authentication factors include something the user knows (such as a password) and something the user has (such as a security token). MFA makes it more difficult for hackers to access your account since they need to obtain both the password and the security token.

Steps to Set up MFA with Amazon S3

To set up MFA with Amazon S3, you will need an AWS account, an MFA device, and the AWS Command Line Interface (CLI) installed on your local machine. Follow these steps to set up MFA with Amazon S3:

Step 1: Log in to Root Account

Step 2: Create an Amazon S3 Bucket

Step 3: Setup CLI using Root Credentials

Download & Install AWS CLI.

step3

Set up AWS account through CLI with Access Key & Secret Key.

step3b

aws configure --profile root-setup

1	aws configure --profile root-setup

Step 4: Verify your bucket’s versioning status

CLI Command

aws s3api get-bucket-versioning --bucket bucketname --profile profilename

1	aws s3api get-bucket-versioning --bucket bucketname --profile profilename

step4

Step 5: Enable MFA Delete

MFA ARN

Account Name -> MFA -> Serial Number

step5

CLI Command

aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

Step 6: Make sure MFA delete is turned on

CLI Command

aws s3api get-bucket-versioning --bucket bucket-name --profile profilename

1	aws s3api get-bucket-versioning --bucket bucket-name --profile profilename

Step 7: Test MFA delete

CLI Command

aws s3api delete-object --profile profilename --bucket bucket-name --version-id Q6U65OqQo46m7qtNzwi21qaSwCvRTg5o --key objectname --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api delete-object --profile profilename --bucket bucket-name --version-id Q6U65OqQo46m7qtNzwi21qaSwCvRTg5o --key objectname --mfa "arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

CLI Command

aws s3api put-bucket-versioning --profile profilename --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa " arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

1	aws s3api put-bucket-versioning --profile profilename --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa " arn:aws:iam::AWSAccountId:mfa/root-account-mfa-device Passcode"

Conclusion

Securing sensitive data is of utmost importance in today’s digital world. Multi-Factor Authentication (MFA) is an effective measure that adds an extra layer of security to your accounts. Enabling MFA with Amazon S3, a widely used cloud storage service, can significantly enhance the security posture of your data stored in the cloud.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Amazon S3 or MFA, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. How does MFA work with Amazon S3?

ANS: – When you enable MFA for your Amazon S3 bucket, any request to delete an object requires security credentials (access key and secret access key) and a valid MFA code. This means that even if an attacker gains access to your security credentials, they cannot delete objects from your Amazon S3 bucket without the corresponding MFA device.

2. What happens if I lose my MFA device?

ANS: – If you lose your MFA device, you may not be able to delete objects from your Amazon S3 bucket until you either replace the device or disable MFA Delete for the bucket. To avoid this scenario, setting up a backup MFA device when you first enable MFA Delete is a good practice.

3. Can I enable MFA for an existing Amazon S3 bucket?

ANS: – Yes, you can enable MFA for an existing Amazon S3 bucket. However, you must first ensure that versioning is enabled for the bucket, as MFA Delete only works with versioned buckets. Once versioning is enabled, you can enable MFA Delete for the bucket using the AWS Management Console or AWS CLI.

WRITTEN BY Shaikh Mohammed Fariyaj Najam

Mohammed Fariyaj Shaikh works as a Research Associate at CloudThat. He has strong analytical thinking and problem-solving skills, knowledge of AWS Cloud Services, migration, infrastructure setup, and security, as well as the ability to adopt new technology and learn quickly.