Ensure your S3 buckets have MFA delete enabled for sensitive buckets

Ensure that your S3 buckets have MFA delete enabled to block accidental or malicious deletion. This is considered a security best practice and should always be done. Ensuring this is enabled will help with NIST,PCI-DSS and GDPR compliance.

Audit & Remediation

  • In order to validate this, this must be carried out via the aws cli.
aws s3api get-bucket-versioning	--bucket my-bucket-12345452345
  • Since MFA Delete requires the object versioning as dependency, the best practice is to enable these two S3 features at the same time. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket (use the MFA device activated for your AWS root account and replace the highlighted details with your own access details):
aws s3api put-bucket-versioning --bucket my-bucket-12345452345 --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}' --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode'
  • Repeat the outlined steps for each S3 bucket that you have.
See all of your AWS S3 Buckets in a single place!

Do you want to see all S3 Buckets in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.


Other Key Features


Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +