MFA Delete enabled for critical buckets
Demonstrate that MFA Delete is enabled and enforced on all S3 buckets classified as critical, preventing unauthorized permanent deletion of versioned objects without multi-factor authentication.
Description
What this control does
MFA Delete is an Amazon S3 bucket versioning feature that requires multi-factor authentication to permanently delete object versions or suspend versioning on a bucket. When enabled, deletion operations require both the requestor's AWS credentials and a valid MFA token from a hardware or virtual MFA device associated with the bucket owner's root account or IAM user. This control protects critical data from accidental or malicious permanent deletion by introducing a second factor of authentication that cannot be compromised through credential theft alone.
Control objective
What auditing this proves
Demonstrate that MFA Delete is enabled and enforced on all S3 buckets classified as critical, preventing unauthorized permanent deletion of versioned objects without multi-factor authentication.
Associated risks
Risks this control addresses
- Compromised IAM credentials used to permanently delete critical business data or audit logs without additional authentication
- Insider threat actor with stolen access keys permanently removes evidence of fraud or data exfiltration by deleting object versions
- Automated malware or ransomware scripts delete S3 object versions after gaining access to long-term credentials stored in code repositories
- Accidental execution of bulk deletion scripts by authorized users permanently removes production data without secondary approval
- Advanced persistent threat actor maintains persistence by deleting versioned backup copies after initial compromise, preventing recovery
- Compliance violation when regulated data retention requirements are circumvented through unauthorized version deletion
- Business continuity failure when critical application data or disaster recovery backups are irreversibly deleted during security incident
Testing procedure
How an auditor verifies this control
- Obtain the organization's classification inventory identifying all S3 buckets designated as critical based on data sensitivity, regulatory requirements, or business impact
- Export the current versioning and MFA Delete configuration for all in-scope critical buckets using AWS CLI command 'aws s3api get-bucket-versioning' for each bucket
- Review the bucket configuration output to verify both 'Status: Enabled' for versioning and 'MFADelete: Enabled' are present in the response
- Identify the IAM users or root accounts authorized to perform MFA Delete operations and confirm MFA devices are registered by reviewing the IAM console or using 'aws iam list-mfa-devices'
- Select a representative sample of critical buckets and attempt to retrieve CloudTrail logs showing recent DeleteObjectVersion or DeleteBucket API calls to verify MFA serial number appears in the requestParameters
- Test one critical bucket by attempting to delete an object version or suspend versioning without providing MFA authentication to confirm the operation fails with an access denied error
- Review change management records for any modifications to MFA Delete settings on critical buckets to verify approval workflows and justification documentation exist
- Cross-reference the list of critical buckets against AWS Config rules or custom compliance checks configured to continuously monitor MFA Delete status and alert on configuration drift
Where this control is tested