S3 MFA Delete is a feature that requires Multi-Factor Authentication (MFA) to be presented before a versioned object can be permanently deleted or its version history can be suspended.
Here’s how you can set up and understand S3 MFA Delete:
Enabling MFA Delete
To enable MFA Delete for a bucket, you need to use the AWS CLI.
First, ensure you have the AWS CLI installed and configured with appropriate permissions.
You’ll need to know your bucket name and the current version of your bucket configuration. You can get this information using:
aws s3api get-bucket-versioning --bucket your-bucket-name
If versioning is already enabled, you’ll see something like this:
{
"Status": "Enabled"
}
If versioning is not enabled, you’ll need to enable it first:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled
Once versioning is enabled, you can enable MFA Delete. This requires you to provide an MFA code. The put-bucket-versioning command is used again, but this time with the MfaDelete parameter.
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MfaDelete=Enabled --mfa-serial YOUR_MFA_DEVICE_SERIAL_NUMBER --mfa-code YOUR_6_DIGIT_MFA_CODE
Replace your-bucket-name with your actual bucket name, YOUR_MFA_DEVICE_SERIAL_NUMBER with the serial number of your virtual or hardware MFA device (e.g., arn:aws:iam::123456789012:mfa/user), and YOUR_6_DIGIT_MFA_CODE with the current 6-digit code from your MFA device.
If successful, there will be no output.
How it Works
When MFA Delete is enabled, any attempt to permanently delete an object version (using s3:DeleteObjectVersion) or to suspend versioning (using s3:PutBucketVersioning) will fail unless the request includes valid MFA authentication.
This means that for these sensitive operations, the user or application making the request must provide:
- The
x-amz-mfaheader in the request, containing the MFA device serial number and the current MFA code. - The necessary IAM permissions for the action (e.g.,
s3:DeleteObjectVersion).
Let’s say you have an object my-file.txt in your-bucket-name and versioning is enabled with MFA Delete. If you try to delete a specific version of this object without MFA:
aws s3api delete-object-version --bucket your-bucket-name --key my-file.txt --version-id abcdef1234567890abcdef1234567890
You will receive an error similar to:
<Error>
<Code>AccessDenied</Code>
<Message>MFA is required to perform this operation.</Message>
<RequestId>...</RequestId>
<HostId>...</HostId>
</Error>
To successfully delete it, you would need to include the MFA details:
aws s3api delete-object-version --bucket your-bucket-name --key my-file.txt --version-id abcdef1234567890abcdef1234567890 --mfa-serial YOUR_MFA_DEVICE_SERIAL_NUMBER --mfa-code YOUR_6_DIGIT_MFA_CODE
Similarly, suspending versioning would require MFA.
Who Needs MFA Delete?
MFA Delete is crucial for any bucket containing critical data where accidental or malicious deletion could have severe consequences. It’s particularly important for:
- Compliance Requirements: Many regulations mandate robust data protection and retention policies.
- Critical Business Data: Buckets holding financial records, intellectual property, or operational data.
- Production Environments: Preventing accidental data loss that could disrupt services.
The "Surprising" Mechanism
What often surprises people is that MFA Delete is not enforced by an IAM policy alone. While IAM policies grant the permission to perform actions like s3:DeleteObjectVersion or s3:PutBucketVersioning, MFA Delete is a bucket-level configuration that acts as an additional, mandatory gatekeeper for these specific actions. Even if an IAM policy explicitly allows s3:DeleteObjectVersion without any MFA condition, the bucket’s MFA Delete setting will still require the MFA code to be presented in the request headers. This provides a layered defense, ensuring that even if IAM policies are overly permissive, the critical deletion actions are still protected.
The MFA code and serial number are not stored by S3; they are validated against the IAM user’s configured MFA device at the time of the request. This means your MFA device’s current code is always the key, and S3 doesn’t hold any secrets.
The next step after ensuring your critical data is protected from accidental deletion is to implement a robust lifecycle policy for managing older versions of your objects.