S3 bucket MFA delete control is disabled Affecting S3 service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Lifecycle

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-AWS CIS-Controls CSA-CCM SOC-2
  • Snyk ID SNYK-CC-00234
  • credit Snyk Research Team

Description

S3 bucket will not enforce MFA login on delete requests.

How to fix?

Set the aws_s3_bucket versioning block mfa_delete field to true.

  • For AWS provider < v4.0.0 ensure that the versioning block of an aws_s3_bucket sets the field mfa_delete to true.
  • For AWS provider >= v4.0.0 ensure that the versioning_configuration block of an aws_s3_bucket_versioning resource sets the field mfa_delete to Enabled.

Example Configuration

# For AWS provider < v4.0.0
resource "aws_s3_bucket" "example" {
  versioning {
    enabled = true
    mfa_delete = true
  }
}
# For AWS provider >= v4.0.0
resource "aws_s3_bucket" "example" {
  bucket_prefix = "example-"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  mfa = "arn:aws:iam::0000000000:mfa/my-mfa-device 123456"

  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
}