S3 MFA Delete
Overview
Amazon S3 MFA Delete is a feature that provides an extra layer of security for Amazon S3 bucket objects. It prevents the accidental deletion of objects in a bucket by requiring users to provide additional authentication, in the form of a time-based one-time password (TOTP), when deleting objects. In this article, we'll learn about AWS S3 MFA Delete in detail.
What is MFA Delete?
Amazon S3 MFA (Multi-Factor Authentication) Delete is a security feature for Amazon S3 buckets that adds an extra layer of security to things stored in the bucket. By requesting additional authentication from users in the form of a time-based one-time password (TOTP) when deleting objects from the bucket, it prevents the unintentional deletion of objects.
In circumstances where data loss could be disastrous, such as in a commercial environment, this function is especially helpful. Only objects contained in an Amazon S3 bucket may be deleted using Amazon S3 MFA Delete.
Other operations like uploading, copying, or moving items inside or between buckets are unaffected. One may fine-tune who is permitted to delete objects from the bucket with S3 MFA Delete, which is simple to set up and can be enabled using AWS CLI or Rest APIs.
Authentication Required for MFA Delete
The following must be accessed by the user to enable S3 MFA Delete:
- AWS root user security credentials, i.e. access key, and secret access key.
- Authenticated MFA device for the root user.
The MFA code will be used to enable the S3 MFA delete, whereas the AWS security credentials will be used to programmatically access the AWS account using either the AWS CLI or Rest API.
Users must provide additional authentication in the form of the concatenation of a valid serial number, a space, and the six-digit code displayed on an authorized authentication device to use Amazon S3 MFA Delete to delete objects or change the versioning configuration.
Enable MFA on S3 Bucket
AWS S3 MFA Delete can be only configured using the root account credentials on the versioning-enabled S3 bucket. We also need an MFA device serial number for the root account which can be accessed using the Security Credentials tab in the AWS console.
Using AWS CLI
To enable S3 MFA Delete using the AWS CLI, use the following command:
The –mfa flag adds the configuration of the MFA device, which is the serial number and MFA code separated by space.
Using REST API
Using AWS S3 Rest API’s PutBucketVersioning API the S3 MFA Delete can be enabled. We must include the x-amz-mfa request header, the Status, and the MfaDelete request elements in a request to enable S3 MFA Delete.
Disable MFA Delete on S3 Bucket
To enable S3 MFA Delete using the AWS CLI, use the following command:
The –mfa flag adds the configuration of the MFA device, which is the serial number and MFA code separated by space.
Conclusion
- Only objects contained in an Amazon S3 bucket may be deleted using Amazon S3 MFA Delete.
- Other operations like uploading, copying, or moving items inside or between buckets are unaffected.
- S3 MFA Delete is only applicable to the deletion of individual objects, not entire buckets
- By requesting additional authentication from users in the form of a time-based one-time password (TOTP) when deleting objects, it adds an extra layer of security.
- AWS S3 MFA Delete can be only enabled using AWS CLI or Rest APIs using the root user's credentials.
- This feature can help prevent accidental or unauthorized deletion of objects from an S3 bucket, providing an additional level of security for your data.
- Once MFA Delete is enabled for a bucket, users will be prompted to enter a valid MFA code when attempting to delete objects from the bucket.