S3 MFA Delete

AWS-S3-007 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets have MFA Delete enabled to prevent accidental or malicious deletion of versioned objects.

Why it matters

MFA Delete adds a second layer of protection against accidental or malicious deletion of S3 objects. Without it, anyone with DeleteObject permissions can permanently remove versioned objects or disable versioning entirely. In ransomware scenarios, attackers with compromised credentials can delete all object versions and backups. MFA Delete ensures that even with valid credentials, a physical MFA device is required to delete object versions or change the versioning state of a bucket.

Common causes

MFA Delete can only be enabled by the root account using the CLI, not through IAM users or Terraform alone. This operational friction means most teams skip it during bucket creation and never come back to enable it. Organizations that avoid using the root account (correctly, per CIS 1.7) find it especially awkward to enable because it requires a one-time root login with MFA.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-versioning --bucket BUCKET_NAME --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa 'arn:aws:iam::ACCOUNT_ID:mfa/root-account-mfa-device TOTP_CODE'

Remediation: Terraform

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status     = "Enabled"
    mfa_delete = "Enabled"
  }
  # Note: MFA Delete can only be enabled by the root account using the AWS CLI
}

Compliance mapping

This check maps to CIS 2.1.2 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.