Ensure MFA Delete is enabled on S3 buckets

Enabling MFA delete for versioning is a good way to add extra protection to sensitive files stored in buckets.

Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.43
Covered by Spectral: Yes
Category: Storage


S3Bucket should have versioning.mfaDelete=true


You can not perform Enable MFA Delete through AWS Management Console, this is required to use the AWS CLI or API. You can perform MFA Delete on S3 buckets using 'root' account only. Use following steps to enable MFA delete on an S3 bucket.

From TF

resource "aws_s3_bucket" "test" {
	bucket = "my-tf-test-bucket"
	acl    = "private"
	tags = {
		Name        = "My bucket"
		Environment = "Dev"
	+ versioning {
		enabled = true
		+ mfa_delete = true
	+ }

From Command Line
Using the AWS s3api CLI, enable MFA Delete for the S3 buckets that fail this rule, for example:

aws s3api put-bucket-versioning --bucket BUCKET_NAME --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device pass code'


  1. https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3
  2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • CloudGuard AWS All Rules Ruleset