How to Enable MFA Delete on AWS S3 Buckets?

Image for post
Image for post

Object storage is a very popular service in the cloud, the first thing normally organizations move to the cloud is the object storage which are files like documents, images, audio, video, and other content data.

With many different services that exist in the cloud, security is a top priority of any organization. Therefore, protecting data with accidental delete also should be included in the top list of operations. In AWS S3 you can optionally add another layer of security by configuring buckets to enable MFA Delete, which can help to prevent accidental bucket deletions and it’s content.

In this post, we cover how to enable MFA (Multi-factor authentication) on S3 buckets in AWS. If you want to learn more about how to enable MFA I did a post on it a while back.

Note: Currently this option is only available via AWS CLI or REST API

Enable MFA on S3 bucket

Once you create an S3 bucket, run the following command to enable MFA Delete.

Note: You must use the AWS root account to enable MFA Delete on S3 buckets, I have tried using IAM Administrator but it does not work. Also, make sure you have enabled Versioning on the S3 bucket (following CLI command would also enable versioning).

You need to pass root account MFA device serial number and current MFA token value. (I have created a separate CLI profile for my root account).

$ aws s3api put-bucket-versioning --profile my-root-profile --bucket my-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::00000000:mfa/root-account-mfa-device 123456”

By executing the above command you can enable MFA Delete on S3 buckets.

You can confirm it on AWS console

Image for post
Image for post
$ aws s3api delete-object --bucket my-bucket-name --key my-file-name.jpg{
“DeleteMarker”: true,
“VersionId”: “ZqKCWV3gMdDpeTdySysyDgwnlFi8tutI”

Execute the above command….guess what the file would be deleted. The MFA Delete only protects the deletion of the versioning of the files, when you try to delete the file it in facts deletes it from the bucket but keeps a version.

The behavior is similar when deleting from AWS console, it deletes the file but does not allow to delete the version.

Image for post
Image for post

This time we should get an error that MFA is required.

$ aws s3api delete-object --bucket my-bucket-name --key my-file-name.jpg --version-id FqXGVAVzMdsXwTdySysyDgwnxyZyzxYxyAn error occurred (AccessDenied) when calling the DeleteObject operation: Mfa Authentication must be used for this request

Delete using MFA

In order to delete files or change the state of the bucket, you need to include the x-amz-mfa in the request header of REST API or pass MFA to AWS CLI

$ aws s3api delete-object --profile my-root-profile --bucket my-bucket-name --key my-file-name.jpg --version-id myfileVeRsioNiU8u4DTsqUg9NR_Z_SA —-mfa “arn:aws:iam::000000000:mfa/root-account-mfa-device 123456”{
“VersionId”: “myfileVeRsioNiU8u4DTsqUg9NR_Z_SA”


In this post, we have covered how to enable and work with MFA Delete on S3 buckets.

I hope you like this post.


About DataNext

DataNext Solutions is a US-based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book a Free assessment call with our experts today or visit our website for more info.

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store