In this lesson, we explored MFA Delete, an additional security feature in Amazon S3 that prevents permanent deletions of object versions unless multi-factor authentication (MFA) is provided.
MFA (Multi-Factor Authentication) Delete is a security mechanism that requires an additional authentication step before performing critical deletion operations in S3.
With MFA Delete enabled, users must enter a one-time code from an MFA device (e.g., Google Authenticator app or a hardware MFA device) before:
1️⃣ Permanently deleting an object version
2️⃣ Suspending versioning on an S3 bucket
This feature protects against accidental or malicious deletions and ensures that object versions are not permanently lost without additional authentication.
MFA Delete is only required for specific actions:
| Action | MFA Required? |
|---|---|
| Permanently delete an object version | ✅ Yes |
| Suspend versioning on a bucket | ✅ Yes |
| Enable versioning on a bucket | ❌ No |
| List deleted object versions | ❌ No |
⚠️ Important: MFA Delete only applies to versioned buckets.