Key Points on MFA Delete in AWS S3

MFA Delete represents another layer of security wherein you can configure a bucket to enable MFA (multi-factor authentication)

You should note that only the bucket owner (root account) can enable MFA Delete via the AWS CLI. However, the bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning.

• MFA Delete Overview:
  • MFA Delete is a security feature that enforces multi-factor authentication (MFA) before allowing certain destructive operations on S3 buckets.
• Multi-Factor Authentication (MFA):
  • It requires users to provide an additional authentication code from a device, such as a smartphone app (e.g., Google Authenticator) or a hardware MFA device.
• Operations Requiring MFA:
  • MFA is required when performing the following operations:
    • Permanently deleting an object version.
    • Suspending Versioning on a bucket.
• Operations Not Requiring MFA:
  • MFA is not required for:
    • Enabling Versioning.
    • Listing deleted object versions.
• Prerequisites for MFA Delete:
  • Versioning must be enabled on the bucket to use MFA Delete.
• Permissions:
  • Only the bucket owner, specifically the AWS account's root user, can enable or disable MFA Delete.
• Considerations:
  • Using the root account is generally discouraged for routine operations due to security implications.
  • MFA Delete adds an additional layer of protection to prevent the accidental or malicious permanent deletion of object versions.

Next Steps

• In the following hands-on lecture, you will learn how to enable or disable MFA Delete using the root account.
• Remember, MFA Delete is a powerful feature to safeguard against irreversible changes in your S3 bucket.

You should note that only the bucket owner (root account) can enable MFA Delete only via the AWS CLI. However, the bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning.