DEV Community

mostafamedhat1983
mostafamedhat1983

Posted on • Edited on

Enable S3 MFA delete using AWS CLI - A SIMPLE GUIDE

S3 MFA delete adds another layer of security as you can't delete files unless you have the MFA device authentication code.

first you need to register MFA device with your account, check the following link to do so:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

In your S3 bucket properties, bucket versioning click edit

bucket properties

bucket versioning

Note that you cant enable MFA delete, it can only be enabled using AWS CLI, AWS SDk or S3 REST API.

cant enable MFA delete

if you need to install AWS CLI check the following link :
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

to use AWS CLI you need to create an access key, click on your account name in the top right and then security credentials

account security credentials*copy the MFA device identifier as we will use it later.

in Access Keys click Create access key.
Create access key

mark " I understand that creating a root access key is not a best practice " and click Create access key
Create access key 2

download the csv file that contains the access key and secret access key, if you don't you will have to create another access key as you can't retrieve the secret access key later.
download the csv file

open the cli and configure AWS cli using the "aws configure" command. Enter the access key, secret access key, default region and default output format.
aws configure

check if AWS cli is working, use command "aws s3 ls" to show your S3 buckets.
aws s3 ls

enable MFA delete using the following command:
aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "MFA-device-identifier mfa-code".
Replace the underlined text with its appropriate value.
MFA command

check your S3 bucket properties to confirm MFA delete is enabled.
MFA delete is enabled

If you delete an object without showing versions a delete marker will be added to this object, but it will not be permanently deleted. you have to show versions and choose the version you want to delete.
delete marker

If you try to permanently delete an object version, you will get an error.
error

Trying from cli have the same result
cli delete error

To delete a file you need to add the MFA device ID and code, if you delete an object with a delete marker it will be shown in the result.

Deleting object with delete marker.
Deleting object with delete marker

Deleting object with no delete marker.
Deleting object with no delete marker

To disable MFA delete use the same command as enabling it and replace " MFADelete=Enabled " with " MFADelete=Disabled " .

After disabling MFA delete don't forget to delete your access key.
you have to deactivate the access key first then delete it.

delete the access key

deactivate the access key

delete the access key 2

confirm

access key deleted

Top comments (2)

Collapse
 
waleedelginady profile image
Waleed Elginady

Good Job

Collapse
 
ahmedattia profile image
Ahmed Attia

Thank you for sharing your expertise