Enabling and Using MFA Delete in Amazon S3

Multi-Factor Authentication (MFA) Delete is an extra security feature in Amazon S3 that prevents permanent deletions of objects unless an MFA device is used. This ensures that critical data cannot be deleted accidentally or maliciously.

1. Key Concepts of MFA Delete

• Prevents permanent deletion of versioned objects.
• Requires root account credentials to enable or disable.
• Must be enabled using AWS CLI (not available in the AWS Management Console).
• Needs an MFA-enabled root account.

🚨 Important: AWS does not recommend using root credentials frequently. You should only use them for actions like enabling MFA Delete, then remove access keys afterward.

2. Setting Up MFA Delete in S3

Step 1: Create an S3 Bucket with Versioning

1. Create a new bucket (e.g., demo-stephane-mfa-delete-2020).
2. Enable Bucket Versioning in Properties.
3. MFA Delete remains disabled by default.

Step 2: Enable MFA for the Root Account

1. Go to AWS IAM Console → Security Credentials.
2. Set up an MFA device (virtual or hardware).
3. Copy the MFA device ARN (Amazon Resource Name).