...
- MFA delete can be enabled only via the AWS CLI or SDK. It cannot be enabled via the AWS S3 web console.
- Since the root user in Cornell AWS accounts is generally not allowed to have AWS access keys configured, the root user must temporarily create access keys to use with the CLI/SDK.
- One might think that a work-around for the access keys requirement would be to use the AWS CloudShell, which automatically creates temporary access keys for CLI commands. However, those temporary access keys won't work for enabling MFA delete. The access keys must be standard access keys for the root user (but with such keys configured in CloudShell you can issue the CLI command from there).
Be sure that any root user access keys created for enabling MFA delete are deleted immediately after use.
| Code Block |
|---|
# Virtual MFA token aws s3api put-bucket-versioning \ --bucket BUCKET_NAME \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device MFA_CODE" # -OR- # Physical MFA token aws s3api put-bucket-versioning \ --bucket BUCKET_NAME \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "MFA_SERIAL_NUMBER MFA_CODE" |
- BUCKET_NAME is the name (not ARN) of the bucket for which you wish to enable MFA delete. E.g., "my-important-bucket".
- The argument to the "mfa" parameter is a string made up of the ARN (virtual), or serial number (physical), of the MFA device, followed by a space, followed by the 6-digit code from the MFA device.
- This command also enables versioning for the bucket; versioning is a prerequisite for enabling MFA delete.
...