S3 - Enable MFA Protection (Delete)
Description
This playbook describes how to execute Tamnoon S3 soft configuration automation to enable bucket mfa delete protection.
The execution is based on AWS credentials configuration based on the next fallbacks:
- If AWS profile or aws access key and secret were given, use it as an AWS credentials source.
- If no profile, use as environment variable credentials for aws.
- If not environmental variables provided, use the current ./~aws configuration
After authentication via AWS API, the script execution will run on the same AWS account of those credentials defined in fallbacks 1-3 (see above).
This automation adds an extra security layer by enabling MFA delete on S3, which requires a valid MFA token to delete versioned objects or modify bucket versioning settings.
It ensures that even if credentials are compromised, destructive actions cannot be taken without physical device access. When configuring MFA delete, users must provide both the MFA device serial and current token. This playbook is ideal for environments requiring strong change protection and regulatory compliance.
Severity Level
High – Strongly recommended for critical or regulated data where deletion must be tightly controlled through multi-factor authentication.
When to use?
Use this playbook when you need to prevent unauthorized or accidental deletion of versioned objects in S3 buckets. It’s especially important for high-sensitivity environments requiring strict change control.
Playbook steps:
2. Execute the automation from the /AWS directory
python3 -m Automations.EC2Actions.S3Helper --profile <aws_profile> --action mfa_protection --bucketNames <The S3 bucket name> --actionParmas {"mfa":<The concatenation of the authentication devices serial number, a space, and the value that is displayed on your authentication device>} --revert <true/false if to revert this action>
python3 -m Automations.EC2Actions.S3Helper --awsAccessKey <aws_access_key> --awsSecret <aws_secret> --action mfa_protection --bucketNames <The S3 bucket name> --actionParmas {"mfa":<The concatenation of the authentication devices serial number, a space, and the value that is displayed on your authentication device>} --revert <true/false if to revert this action>
actionParmas:
Prerequisites
2. Python v3.6 and above + boto3 package installed ( pip install boto3)
Frequently Asked Questions
What does this playbook automate?
This playbook automates the process of enabling MFA delete protection on S3 buckets. It ensures sensitive deletion actions require a valid MFA code for added security.
What is MFA delete on S3 and why is it important?
MFA delete on S3 is a setting that requires multi-factor authentication to permanently delete versioned objects or change the bucket’s versioning configuration. It helps prevent accidental or unauthorized deletions.
What credentials are required to run this automation?
You need AWS credentials with permissions to modify S3 bucket configurations. These can be passed as a profile, access keys, or through environment variables.
What format is used to provide the MFA code?
You must pass the MFA value as a combination of your device’s serial number, a space, and the current authentication code from the MFA device.
Can this playbook revert the MFA delete setting?
Yes. You can use the –revert true parameter to undo the MFA delete protection if needed. This allows temporary security changes with rollback options.
Is configuring MFA delete suitable for all S3 buckets?
Yes, but it is especially recommended for buckets containing critical or compliance-sensitive data. Configuring MFA delete strengthens protection against malicious deletions and enforces multi-factor safeguards.
