How to setup MFA Delete on AWS
There are three ways for an IAM user to interact with the AWS cloud. AWS CLI, REST API and of course, the web console (dashboard). While the console is the easiest way to accomplish most tasks, there are several tasks that can only be done through the CLI. Setting up an MFA delete on S3 is one of those tasks.
MFA Delete on S3 buckets (Can only be done via CLI).
To install CLI, you need Python runtime and PIP.
Step 1 – Install Python and PIP
a) https://www.python.org/downloads/release/python-365/
b) https://github.com/BurntSushi/nfldb/wiki/Python-&-pip-Windows-installation
Step 2 – Install the AWS CLI using the following PIP command from a cmd prompt
$ pip install awscli –upgrade –user
Step 3 – Configure AWS CLI – using your Access Key and Secret Key.
$ aws configure
AWS Access Key ID [None]: MYACCESSKEYEXAMPLE
AWS Secret Access Key [None]: afdfrXUtnGSAD/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Step 4 – Now, here’s the tricky part. There is no separate MFA command on the S3 API.
So, it is part of the versioning set of commands on the bucket.
put-bucket-versioning --bucket <value> [--content-md5 <value>] [--mfa <value>] --versioning-configuration <value> [--cli-input-json <value>] [--generate-cli-skeleton <value>]
aws s3 put-bucket-versioning s3://my-bucket/path –mfadelete = “enabled”
Thats it. Try that out and see if it works.
Hi. I tried these steps and wasn’t able to get it to work. I typed in:
aws s3 put-bucket-versioning s3://my-bucket –mfadelete = “enabled”
and the command wasn’t recognized.
Try this:
To enable MFA Delete:
aws s3api put-bucket-versioning -profile RootUser –bucket MyVersionBucket –versioning-configuration MFADelete=Enabled,Status=Enabled –mfa ‘arn:…. 012345‘
Note: the MFA is referenced with single quotes around it
To check your bucket configuration:
aws s3api get-bucket-versioning –profile RootUser –bucket MyVersionBucket