Knowledge base / AWS / Simple Storage Service (S3) / D9.AWS.IAM.43

S3 bucket should have versioning MFA delete enabled

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.IAM.43
Category: Storage
Enabling MFA delete for versioning is a good way to add extra protection to sensitive files stored in buckets.

gsl logic

S3Bucket should have versioning.mfaDelete=true

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation

Using the AWS s3api CLI, enable MFA Delete for the S3 buckets that fail this rule, for example:
aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-mfa-serial-number mfa-code"

Refer to: https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3

Related Links:
Getting Started with Amazon Simple Storage Service

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks

BP_0318 GDPR HIPAA ISO27001 NIST_CSF PCIDSS32