Ensure MFA Delete is enable on S3 buckets

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read
Learn more:
Compliance Engine
GSL Language
Remediation
You can not perform Enable MFA Delete through AWS Management Console, this is required to use the AWS CLI or API. You can perform MFA Delete on S3 buckets using 'root' account only. Use following steps to enable MFA delete on an S3 bucket.
From TF
resource "aws_s3_bucket" "test" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
+ versioning {
enabled = true
+ mfa_delete = true
+ }
}
From Command Line
Using the AWS s3api CLI, enable MFA Delete for the S3 buckets that fail this rule, for example:
aws s3api put-bucket-versioning --bucket BUCKET_NAME --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device pass code'
References
1. https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3
2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html
Related Links:
Getting Started with Amazon Simple Storage Service
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks






