MFA delete adds an extra authentication factor that must be provided before object versions can be permanently deleted from a versioned S3 bucket or before the bucket’s versioning state can be changed.

Why is this an issue?

When versioning is enabled on an S3 bucket without MFA delete, any user or process that holds delete permission on the bucket can remove object versions or change the versioning configuration using only their regular credentials. MFA delete forces the request sender to additionally prove possession of a valid MFA device and the corresponding token, turning the deletion into a deliberate two-step action rather than something that can be triggered by compromised credentials alone.

This rule also detects the legacy syntax used with AWS provider version 3 or below, where MFA delete is configured through the versioning block of the aws_s3_bucket resource (mfa_delete = true).

What is the potential impact?

Without MFA delete, the accidental or malicious deletion of object versions cannot be reliably prevented. If the bucket is used to preserve sensitive information over the long term, or if delete permission is granted broadly, a single compromised set of credentials is enough for an attacker to permanently destroy the stored data by removing all of its versions.

How to fix it

Code examples

The following example uses the AWS provider version 4 or above syntax, where versioning and MFA delete are configured through a dedicated aws_s3_bucket_versioning resource.

Noncompliant code example

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" { # Noncompliant
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
  }
}

Compliant solution

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
  mfa = "${var.MFA}"
}

Resources

Documentation

Standards