I want to configure an S3 bucket so that I can retrieve files that have been deleted from the bucket.
It is possible to safeguard against accidental deletion of files contained in an S3 bucket by enabling both S3 versioning and root account multi-factor authentication (MFA) delete support for the bucket. If both versioning and root account MFA delete support are enabled, any files deleted from the bucket are marked for deletion and no longer visible to non-multi-factor authenticated users, even if the user is a bucket owner. Files marked for deletion in this scenario can only be permanently deleted by using multi-factor-authenticated root account credentials with bucket owner permissions.
When versioning and MFA delete support are enabled for an S3 bucket and a file is deleted from that bucket, that file is no longer accessible by users, and a DeleteMarker file version ID is created for the file. To make the file available for normal access again, a multi-factor-authenticated root account credentials can be used to remove the DeleteMarker file version ID.
Note
Undeleting files in S3 buckets that have enabled both S3 versioning and root account MFA delete support is a non-trivial task, especially when performed via the AWS CLI. Enabling undelete functionality should be done sparingly because of the potential work load that can occur when undeleting a large number of files. Some third-party utilities provide support for MFA delete, making the process of undeleting easier, but these utilities still require typing the requested MFA code each time that an object is undeleted from a bucket.
This example uses the AWS CLI to protect the contents of an S3 bucket from deletion by applying versioning and MFA delete support. When an S3 bucket is configured with versioning and root-account MFA delete support, any files deleted by users can be undeleted with multi-factor authenticated root account credentials and bucket owner permissions.
- The bucket owner must have root account credentials configured with multi-factor authentication.
- Access to a physical or virtual MFA device for MFA tokens.
- The AWS Command Line Interface must be installed and configured with the root account access keys.
Note
For purposes of this example, the AWS CLI is configured with a default output format of json, and the following sample values are used:
- Bucket name: protectedbucket
- AWS account number: 2222-3333-4444
- File name: undelete.txt
Important
The AWS CLI was installed on Linux for this example. If you are running the AWS CLI on a different platform, see Specifying Parameter Values for the AWS Command Line Interface for information about syntax when running on other platforms.
1. Run the following AWS CLI command to create an S3 bucket. If the operation is successful, the command returns the name of the bucket.
aws s3 mb s3://protectedbucket
make_bucket: s3://protectedbucket/
2. Enable MFA delete and versioning support for your bucket:
aws s3api put-bucket-versioning --bucket protectedbucket
--versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
--mfa 'arn:aws:iam::222233334444:mfa/root-account-mfa-device token' --d
Note
Substitute appropriate values for protectedbucket, your AWS account number (222233334444 in the example), and token. You obtain the value for token from the MFA device associated with your root account. If you run this command from a Windows command prompt or a Windows PowerShell prompt, review Specifying Parameter Values for the AWS Command Line Interface for information about the correct syntax. The --d parameter specified at the end of the command is the abbreviated version of --debug.
3. Verify that versioning and MFA delete support are enabled by running the following command.
aws s3api get-bucket-versioning --bucket protectedbucket
If the operation is successful, the command returns these results:
{
"Status": "Enabled",
"MFADelete": "Enabled"
}
4. Upload a file to your S3 bucket by running the following command, substituting your own file for undelete.txt. If the operation is successful, the command returns the file path.
aws s3 cp undelete.txt s3://protectedbucket/
upload: .\undelete.txt to s3://protectedbucket/undelete.txt
5. Verify that the file was uploaded to the S3 bucket by running the following command. This will return the contents of the bucket and should list the file you uploaded along with the size of the file and the time the files was uploaded.
aws s3 ls s3://protectedbucket
6. Run the following command to delete the file. Because MFA delete and versioning support are enabled for the bucket, the file should appear to be gone but in fact will now have a DeleteMarker file version ID marking the file for deletion.
aws s3 rm s3://protectedbucket/undelete.txt
Repeat step 5 to verify that the file does not appear in a normal bucket file listing.
7. Run the following command to list all versioned objects for the bucket. This command displays hidden objects. Note that this command returns a file version ID designated as a DeleteMarker.
aws s3api list-object-versions --bucket protectedbucket
{
"DeleteMarkers": [
{
"Owner": {
"DisplayName": "AwsTestAcct",
"ID": "2998…6d9810"
},
"IsLatest": true,
"VersionId": "Faq.NOzHyd6tjAKF1iObKbEnNQkIMPjj",
"Key": "undelete.txt",
"LastModified": "2016-12-09T15:13:45.000Z"
}
],
"Versions": [
{
"LastModified": "2016-12-09T15:02:26.000Z",
"VersionId": "IIBiXG2zzrA5KZTCbTKOln2.V_lujWiG",
"ETag": "\"252dcf1430a022a1cc346779e3cb19b9\"",
"StorageClass": "STANDARD",
"Key": "undelete.txt",
"Owner": {
"DisplayName": "AwsTestAcct",
"ID": "2998…6d9810"
},
"IsLatest": false,
"Size": 540
}
]
}
8. Run the following command to attempt to delete the file version ID that is set as a DeleteMarker.
aws s3api delete-object --bucket protectedbucket --version-id 'Faq.NOzHyd6tjAKF1iObKbEnNQkIMPjj'
–-key undelete.txt
This attempt fails because the bucket is configured with MFA delete support. An error message similar to the following should be returned.
A client error (AccessDenied) occurred when calling the DeleteObject operation: Mfa Authentication must be used for this request
9. Run the following command, using MFA to remove the file version ID designated as a DeleteMarker. This will return the file to normal status, allowing non-MFA users with permission to read the bucket to see the file.
aws s3api delete-object --bucket protectedbucket --version-id "Faq.NOzHyd6tjAKF1iObKbEnNQkIMPjj"
--key undelete.txt --mfa 'arn:aws:iam::222233334444:mfa/root-account-mfa-device token' --d
10. Run the following command to verify that the previously deleted file is now visible.
aws s3 ls s3://protectedbucket
11. (Optionally) run the following command to disable MFA delete support and versioning functionality if no longer needed.
aws s3api put-bucket-versioning --bucket protectedbucket
--versioning-configuration '{"MFADelete":"Disabled","Status":"Suspended"}'
--mfa 'arn:aws:iam::222233334444:mfa/root-account-mfa-device token' --d
12. Run the following command to verify that versioning support has been suspended and MFA delete support been disabled.
aws s3api get-bucket-versioning –-bucket protectedbucket
If you have successfully suspended versioning support and disabled MFA delete support, the command will return the following results.
{
"Status": "Suspended",
"MFADelete": "Disabled"
}
For more information about multi-factor authentication delete, see MFA Delete.
Amazon S3, multi-factor authentication, MFA, delete, undelete, protect, bucket, files
Did this page help you? Yes | No
Back to the AWS Support Knowledge Center
Need help? Visit the AWS Support Center
Published: 2015-12-31
