More Info:

AWS S3 buckets should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).

Risk Level

Low

Address

Security

Compliance Standards

CISAWS, CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the S3 Bucket misconfiguration of not having MFA Delete enabled in AWS:
  1. Log in to your AWS Management Console.
  2. Navigate to the S3 service.
  3. Click on the S3 bucket that you want to remediate.
  4. Click on the “Properties” tab.
  5. Scroll down to the “Delete” section and click on “Edit”.
  6. Select the “Enable MFA delete” checkbox.
  7. Click on “Save changes”.
  8. A pop-up window will appear asking you to enter your MFA code. Enter the code and click on “Save changes”.
  9. MFA Delete is now enabled for your S3 bucket.
Note: MFA Delete requires the use of a virtual MFA device or a hardware MFA device. You will need to configure MFA for your AWS account before you can enable MFA Delete for your S3 bucket.

To remediate the misconfiguration “S3 Bucket Should Have MFA Delete Enabled” for AWS using AWS CLI, follow these steps:
  1. Open your terminal and install AWS CLI if it is not already installed.
  2. Run the following command to enable MFA delete for your S3 bucket:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-serial-number MFA-code"
Note: Replace “your-bucket-name” with the name of your S3 bucket, and “your-serial-number” and “MFA-code” with your MFA device’s serial number and code respectively.
  1. Verify that MFA delete is enabled for your S3 bucket by running the following command:
aws s3api get-bucket-versioning --bucket your-bucket-name
This command should output the versioning configuration of your S3 bucket, which should include “MFADelete”: “Enabled”.
  1. Test that MFA delete is working by attempting to delete an object from your S3 bucket using the AWS Management Console or AWS CLI. You should be prompted to enter an MFA code to confirm the deletion.
By following these steps, you should be able to remediate the misconfiguration “S3 Bucket Should Have MFA Delete Enabled” for AWS using AWS CLI.
To remediate S3 bucket MFA delete enabled misconfiguration in AWS using Python, follow the below steps:
  1. Install the boto3 library if not already installed using the command !pip install boto3
  2. Import the necessary libraries and create an S3 client object: 
import boto3
s3 = boto3.client('s3')
  1. Get the bucket’s current versioning configuration using the get_bucket_versioning method:
bucket_name = 'your-bucket-name'
versioning = s3.get_bucket_versioning(Bucket=bucket_name)
  1. If the versioning is not enabled, enable it using the put_bucket_versioning method:
if versioning['Status'] != 'Enabled':
    s3.put_bucket_versioning(
        Bucket=bucket_name,
        VersioningConfiguration={
            'Status': 'Enabled'
        }
    )
  1. Get the bucket’s current MFA delete configuration using the get_bucket_mfa_delete method:
mfa_delete = s3.get_bucket_mfa_delete(Bucket=bucket_name)
  1. If the MFA delete is not enabled, enable it using the put_bucket_mfa_delete method:
if not mfa_delete['MFADelete']:
    s3.put_bucket_mfa_delete(
        Bucket=bucket_name,
        MFADelete='Enabled'
    )
  1. To enable MFA delete, you need to provide the serial number of the MFA device and the current token code. You can prompt the user to input this information or retrieve it from a secure location.
mfa_serial = 'your-mfa-serial-number'
mfa_token = 'your-mfa-token-code'
s3.put_bucket_mfa_delete(
    Bucket=bucket_name,
    MFADelete='Enabled',
    MFA='arn:aws:iam::YOUR_ACCOUNT_ID:mfa/{}'.format(mfa_serial),
    VersioningConfiguration={
        'Status': 'Enabled'
    },
    RequestPayer='requester',
    MultiFactorAuthentication={
        'SerialNumber': 'arn:aws:iam::YOUR_ACCOUNT_ID:mfa/{}'.format(mfa_serial),
        'TokenCode': mfa_token
    }
)
Note: Replace your-bucket-name, your-mfa-serial-number and your-mfa-token-code with the actual values.
  1. Once the above steps are completed, the S3 bucket should have MFA delete enabled.
Note: Make sure you have the necessary permissions to perform these actions.

Additional Reading: