AWS s3 delete only with mfa

Aria2084 used Ask the Experts™
Hello all, I am new to using AWS, I have experience using it but have not gone full throttle.

I am trying to set up an existing S3 bucket to not allow deletes from a user that does not have MFA.  I have seen some examples on how to do this but found them to be a little confusing.

Does anyone have a clear example for a dummy like me on how to set this up?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

There are a couple of reference but see this as a simpler step by step with testing. Enabling MFA via AWS Management Console is not currently supported hence enable MFA using AWS API via CLI.


I appreciate the link. It looks like the photo examples are broken on the link.  The link was a bit too complex and assuming someone was already an expert at aws.

From what I gather it is saying this can be done from the command line only.  Would need to know how to get to the command line and a clear example of the command on how to enable this on a bucket.
btanExec Consultant
Distinguished Expert 2018

MFA Delete on S3 buckets (Can only be done via CLI).

To install CLI, you need Python runtime and PIP.
Step 1 – Install Python and PIP

Step 2  – Install the AWS CLI using the following PIP command from a cmd prompt
$ pip install awscli –upgrade –user

Step 3 – Configure AWS CLI – using your Access Key and Secret Key.
$ aws configure
AWS Secret Access Key [None]: afdfrXUtnGSAD/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Step 4 – Now, here’s the tricky part. There is no separate MFA command on the S3 API.
So, it is part of the versioning set of commands on the bucket.
--bucket <value>
[--content-md5 <value>]
[--mfa <value>]
--versioning-configuration <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

aws s3api put-bucket-versioning
  --bucket webapp-status-reports
  --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
  --mfa 'arn:aws:iam::AWS_ACCOUNT_ID_HERE:mfa/root-account-mfa-device PASSCODE_HERE'

Note for step 4, it requires root account, so use the MFA device activated for your AWS root account and replace AWS_ACCOUNT_ID_HERE and PASSCODE_HERE with your own access details.

Step 5 - Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if S3 object versioning and MFA delete feature have been successfully enabled:
aws s3api get-bucket-versioning
  --bucket webapp-status-reports

If enabled, the command output should look like the following:
  "MFADelete": "Enabled",
  "Status": "Enabled"

The summary of the steps in

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial