Enable S3 MFA delete using AWS CLI - A SIMPLE GUIDE

#aws #s3 #beginners #tutorial

S3 MFA delete adds another layer of security as you can't delete files unless you have the MFA device authentication code.

first you need to register MFA device with your account, check the following link to do so:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

In your S3 bucket properties, bucket versioning click edit

Note that you cant enable MFA delete, it can only be enabled using AWS CLI, AWS SDk or S3 REST API.

if you need to install AWS CLI check the following link :
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

to use AWS CLI you need to create an access key, click on your account name in the top right and then security credentials

*copy the MFA device identifier as we will use it later.

in Access Keys click Create access key.

mark " I understand that creating a root access key is not a best practice " and click Create access key

download the csv file that contains the access key and secret access key, if you don't you will have to create another access key as you can't retrieve the secret access key later.

open the cli and configure AWS cli using the "aws configure" command. Enter the access key, secret access key, default region and default output format.

check if AWS cli is working, use command "aws s3 ls" to show your S3 buckets.

enable MFA delete using the following command:
aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "MFA-device-identifier mfa-code".
Replace the underlined text with its appropriate value.

check your S3 bucket properties to confirm MFA delete is enabled.

If you delete an object without showing versions a delete marker will be added to this object, but it will not be permanently deleted. you have to show versions and choose the version you want to delete.