AWSOverview
Overview
Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.
Remediation guidance
Perform the steps below to enable MFA delete on an S3 bucket.
Note:
-You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.
-You must use your 'root' account to enable MFA Delete on S3 buckets.
From Command Line
- Run the s3api put-bucket-versioning command
aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode"```
## Service-wide remediation
> **Recommended when many resources are affected:** fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
### AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
## Operational rollout
1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
MFA Delete is enabled on S3 buckets
Connectors
AWS
Covered asset types
Bucket
Expected check: eq []
{buckets(where:{bucketVersioningMFADelete:false}){...AssetFragment}}
