AWS Security Blog

Securing Access to AWS Using MFA – Part 3

by Kai Zhao | on | in Best Practices, How-to guides | | Comments

In Part 1 (configuring MFA for sign-in) and Part 2 (MFA-protected API access) of this series, we discussed various ways in which AWS Multi-Factor Authentication (MFA) can improve the security of your account.  This week’s topic will be a brief overview of how you can use MFA in conjunction with Amazon S3 Versioning.

What is S3 Versioning?

It’s a version control feature for S3 that enables you to revert to older versions of an S3 object, which helps provide protection against accidental or malicious deletion.

Versioning keeps multiple versions of an object in the same bucket.  When you enable it on a bucket, Amazon S3 automatically adds a unique version ID to every object stored in the bucket.  At that point, a simple DELETE action does not permanently delete an object version; it merely associates a delete marker with the object.  If you want to permanently delete an object version, you must specify its version ID in your DELETE request.

How does MFA fit in with S3 Versioning?

You can add another layer of protection by enabling MFA Delete on a versioned bucket.  Once you do so, you must provide your AWS account’s access keys and a valid code from the account’s MFA device in order to permanently delete an object version or suspend or reactivate versioning on the bucket.

Note:  MFA Delete only works for CLI or API interaction, not in the AWS Management Console.  Also, you cannot make version DELETE actions with MFA using IAM user credentials. You must use your root AWS account.

The sample request below shows how to delete a specific version of my-image.jpg in a bucket called bucketName, which has MFA Delete enabled.  Note that you must include the x-amz-mfa request header, which consists of the concatenation of your MFA device’s serial number, a space, and the MFA code.

DELETE /my-image.jpg?versionId=3HL4kqCxf3vjVBH40Nrjfkd HTTPS/1.1
Host: bucketName.s3.amazonaws.com
x-amz-mfa: serial_number 123456
Date: Wed, 28 Oct 2009 22:32:00 GMT
Authorization: AWS AKIAIOSFODNN7EXAMPLE:0RQf4/cRonhpaBX5sCYVf1bNRuU=

Additional Resources

See the S3 Developer Guide for a code sample that activates S3 Versioning and MFA Delete on a bucket.

Kai Zhao
Product Manager, AWS IAM

TAGS: ,