Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I turn on MFA delete for my Amazon S3 bucket?

5 minute read

I want to turn on multi-factor authentication (MFA) delete for my Amazon Simple Storage Service (Amazon S3) bucket to protect my objects from unintended deletions.

Short description

When you don't configure MFA delete, anyone with either of the following permissions can permanently delete an Amazon S3 object:

Root user password
AWS Identity and Access Management (IAM) user or role credentials with delete permission

When you configure MFA delete, only the root user can permanently delete object versions or change the versioning configuration on your S3 bucket. You must use an MFA device to authenticate the root user to perform the delete action.

To configure MFA delete for your bucket, complete the following steps:

Generate an access key and secret key for the root user.
Activate an MFA device for the root user.
Configure the AWS CLI with the root user credentials.
Configure MFA delete.
Confirm that MFA delete is working, and delete your root access keys.

You can use MFA delete only on buckets that you turned on S3 Versioning for. The bucket owner, AWS account that created the bucket, and all authorized IAM users can turn on versioning. However, only the root user account can turn on MFA delete. To turn on MFA delete, you must use the AWS CLI or the Amazon S3 REST API.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Generate an access key and secret key for the root user

First, create access keys for the root user. After you create these keys, you must immediately download and save the keys. You can't retrieve these keys later.

Activate an MFA device for the root user

If you didn't activate an MFA device for the root user, then see Enable a virtual MFA device for the root user (console). If you already activated an MFA device for the root user, then note the ARN.

Configure the AWS CLI with the root user credentials

Complete the following steps:

Run the AWS CLI configure command.
For the AWS Access Key ID, for example AKIAEXAMPLEABCQWE, enter the root user's access key ID.
For the root user's AWS Secret Access Key, enter the secret access key ID. You can find the secret access key in the file that contains the root user's credentials.
(Optional) For the Default region name, you can enter the default AWS Region.
(Optional) For the Default output format, you can enter the output format.

Important: If you configured named profiles in the AWS CLI, then you must create another profile for the root user's credentials. To configure a named profile, run the following configure command:

aws configure --profile root_user

Turn on S3 MFA delete

To turn on MFA delete, run the put-bucket-versioning command:

aws s3api put-bucket-versioning --bucket mybucketname --versioning-configuration MFADelete=Enabled,Status=Enabled --mfa "arn:aws:iam::1XXXXXXX6789:mfa/root-account-mfa-device 123789"

Note: In the preceding command, replace 1XXXXXXX6789 with your account's ID and 123789 with the serial number that the MFA device generates.

If you use a named profile for the root user, then run the following put-bucket-versioning command:

aws s3api put-bucket-versioning --bucket mybucketname --versioning-configuration MFADelete=Enabled,Status=Enabled --mfa "arn:aws:iam::1XXXXXXX6789:mfa/root-account-mfa-device 123789" --profile root_user

If the command is successful, then you don't get an output. If you get an output with an error, then confirm that you're using the root user and the ARN and MFA serial number are valid.

You can also call the PutBucketVersioning API to turn on MFA delete.

Note: You can't use MFA delete with lifecycle configurations. If there's a lifecycle configuration on the bucket and you run the preceding put-bucket-versioning command, then you get the following error:

"An error occurred (InvalidBucketState) when calling the PutBucketVersioning operation: Mfa Authentication is not supported on a bucket with lifecycle configuration. Delete lifecycle configuration before enabling Mfa Authentication."

Confirm that MFA delete is working

First, make sure that you turned on S3 Versioning, You can use either the Amazon S3 console or the following GetBucketVersioning API:

aws s3api get-bucket-versioning --bucket mybucketname

Example output:

{    
    "Status": "Enabled",    
    "MFADelete": "Enabled"    
}

To permanently delete an object version, you must include the x-amz-mfa request header. You can use the --mfa option in the delete-object command to include the header value. The header's value is the chain of your authentication device's serial number, a space, and the authentication code. For more information, see Deleting an object from an MFA delete-enabled bucket.

If you don't turn on MFA delete and you try to delete an object version, then you get the following error. You also get the following error when you use an IAM user to try to delete the object version:

"aws s3api delete-object --bucket mybucketname --key myobjectkey --version-id 3HL4kqCxf3vjVBH40Nrjkd An error occurred (AccessDenied) when calling the DeleteObject operation: Mfa Authentication must be used for this request"

To use the root user to delete an object version in a bucket with MFA delete turned on, run the following delete-object command:

aws s3api delete-object --bucket mybucketname --key myobjectkey --version-id 3HLkqCxf3vjVBH40Nrjkd --mfa "arn:aws:iam::(accountnumber):mfa/root-account-mfa-device (pass)" {    
    "VersionId": "3HLkqCxf3vjVBH40Nrjkd"    
}

Note: To allow IAM users or roles in your account to use the delete-object request without a version ID, grant them s3:DeleteObject permission. For versioning-enabled buckets, the delete-object request only creates a delete marker. It doesn't permanently delete the object version. To permanently delete an object, you must specify the object's version ID.

After you turn on MFA delete, take the following actions as a security best practice:

Invalidate and remove the root user credentials that you store in your AWS CLI in the configuration and credential files for your operating system (OS).
Use the AWS Management Console to delete the root user access keys.

Topics

Storage

Relevant content

S3 buckets with MFA delete
Accepted Answer
Jaime
asked 4 months ago
Enable MFA Delete S3 Bucket Feature ?
Ram Choudhary
asked a year ago
Getting Access denied error while using aws cli for enabling MFA delete on S3 bucket
Accepted Answer
Subha
asked a year ago
enable MFA delete for s3 buckets
Tal
asked a year ago
Need help disabling MFA Delete on S3 bucket: How can I resolve this issue?
Accepted Answer
Naty
asked a year ago
How can I audit deleted or missing objects from my Amazon S3 bucket?
AWS OFFICIALUpdated a year ago
Why can I delete objects even after I turned on Object Lock for my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
How do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?
AWS OFFICIALUpdated 8 months ago
How can I retrieve an Amazon S3 object that was deleted in a versioning-enabled bucket?
AWS OFFICIALUpdated 6 months ago
Securing the Cloud: The evolution and future of AWS root access management, MFA integration and MFA adoption timelines for enhanced security design
EXPERT
Harish Mandhadi
published 4 months ago