Skip to content

Instantly share code, notes, and snippets.

@guitmz
Last active June 7, 2022 20:50
Show Gist options
  • Save guitmz/6312cf734039d0bcbe2966924585fe12 to your computer and use it in GitHub Desktop.
Save guitmz/6312cf734039d0bcbe2966924585fe12 to your computer and use it in GitHub Desktop.
Enable MFA in CloudTrail S3 Bucket
  1. Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your AWS account:
aws s3api list-buckets
  --query 'Buckets[*].Name'
  1. The command output should return the name of each S3 bucket available in your AWS account:
[
    "webapp-status-reports"
]
  1. Since MFA Delete requires the object versioning as dependency, the best practice is to enable these two S3 features at the same time. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket (use the MFA device activated for your AWS root account and replace AWS_ACCOUNT_ID_HERE and PASSCODE_HERE with your own access details):
aws s3api put-bucket-versioning
  --bucket webapp-status-reports
  --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
  --mfa 'arn:aws:iam::AWS_ACCOUNT_ID_HERE:mfa/root-account-mfa-device PASSCODE_HERE'
  1. Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if S3 object versioning and MFA delete feature have been successfully enabled:
aws s3api get-bucket-versioning
  --bucket webapp-status-reports
  1. If enabled, the command output should look like the following:
{
  "MFADelete": "Enabled",
  "Status": "Enabled"
}
  1. Once the MFA Delete feature is enabled, for each DELETE request you must provide your MFA token: the MFA serial number (the full ARN associated with the device) and the generated passcode (the access code generated by the MFA device). To test this feature, try to delete an S3 object version with and without the MFA token: Run list-object-versions command (OSX/Linux/UNIX) to return version information for an S3 object (file) called my-webapp-report-05032016.pdf available in the selected bucket:
aws s3api list-object-versions
  --bucket webapp-status-reports
  --key my-webapp-report-05032016.pdf

The command output should return each version ID of the selected object. The following output example expose the metadata for an object version:

{
    "LastModified": "2016-05-10T11:54:08.000Z",
    "VersionId": "ubErddyQBw1v7y68Z42UBSEWZodwGQLD",
    "ETag": "\"04b921ba540251657f5c01eb38e1f035\"",
    "StorageClass": "STANDARD",
    "Key": "my-webapp-report-05032016.pdf",
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "658f3e58089ec3bd00296f84056525e
               67415fd5e56dcfda3f8309358e99898"
    },
    "IsLatest": false,
    "Size": 14355
}

Run s3api delete-object command (OSX/Linux/UNIX) without MFA authentication and try to delete the selected S3 object version:

aws s3api delete-object
  --bucket webapp-status-reports
  --version-id 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD'
  --key my-webapp-report-05032016.pdf

Without MFA authentication, the command output should return an access denied error message: A client error (AccessDenied) occurred: Mfa Authentication must be used for this request. You can see that it will not let you delete an object version without MFA authentication. Now run s3api delete-object command (OSX/Linux/UNIX) with MFA authentication to delete the selected S3 object version (replace the highlighted details with your own access details):

aws aws s3api delete-object
  --bucket webapp-status-reports
  --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode'
  --version-id 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD'
  --key my-webapp-report-05032016.pdf

With MFA authentication, the command output should return the version ID of the delete marker:

{
  "VersionId": 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD',
  "DeleteMarker": true
}
  1. Repeat steps no. 3 – 6 to enable and test MFA Delete feature for each S3 bucket available in your AWS account.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment