S3 bucket MFA delete control is disabled Affecting S3 service in AWS

Snyk CCSS

Data / Lifecycle

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM SOC-2

Snyk ID SNYK-CC-00234
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

S3 bucket will not enforce MFA login on delete requests.

How to fix?

Set the aws_s3_bucket versioning block mfa_delete field to true.

For AWS provider < v4.0.0 ensure that the versioning block of an aws_s3_bucket sets the field mfa_delete to true.
For AWS provider >= v4.0.0 ensure that the versioning_configuration block of an aws_s3_bucket_versioning resource sets the field mfa_delete to Enabled.

Example Configuration

# For AWS provider < v4.0.0
resource "aws_s3_bucket" "example" {
  versioning {
    enabled = true
    mfa_delete = true
  }
}

# For AWS provider >= v4.0.0
resource "aws_s3_bucket" "example" {
  bucket_prefix = "example-"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  mfa = "arn:aws:iam::0000000000:mfa/my-mfa-device 123456"

  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
}

Terraform

References

Configuring MFA delete