AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
S3 Bucket Should Have MFA Delete Enabled
More Info:
AWS S3 buckets should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).
Risk Level
Low
Address
Security
Compliance Standards
CISAWS, CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the S3 Bucket misconfiguration of not having MFA Delete enabled in AWS:
- Log in to your AWS Management Console.
- Navigate to the S3 service.
- Click on the S3 bucket that you want to remediate.
- Click on the “Properties” tab.
- Scroll down to the “Delete” section and click on “Edit”.
- Select the “Enable MFA delete” checkbox.
- Click on “Save changes”.
- A pop-up window will appear asking you to enter your MFA code. Enter the code and click on “Save changes”.
- MFA Delete is now enabled for your S3 bucket.
Note: MFA Delete requires the use of a virtual MFA device or a hardware MFA device. You will need to configure MFA for your AWS account before you can enable MFA Delete for your S3 bucket.
To remediate the misconfiguration “S3 Bucket Should Have MFA Delete Enabled” for AWS using AWS CLI, follow these steps:
- Open your terminal and install AWS CLI if it is not already installed.
- Run the following command to enable MFA delete for your S3 bucket:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-serial-number MFA-code"
Note: Replace “your-bucket-name” with the name of your S3 bucket, and “your-serial-number” and “MFA-code” with your MFA device’s serial number and code respectively.
- Verify that MFA delete is enabled for your S3 bucket by running the following command:
aws s3api get-bucket-versioning --bucket your-bucket-name
This command should output the versioning configuration of your S3 bucket, which should include “MFADelete”: “Enabled”.
- Test that MFA delete is working by attempting to delete an object from your S3 bucket using the AWS Management Console or AWS CLI. You should be prompted to enter an MFA code to confirm the deletion.
By following these steps, you should be able to remediate the misconfiguration “S3 Bucket Should Have MFA Delete Enabled” for AWS using AWS CLI.
To remediate S3 bucket MFA delete enabled misconfiguration in AWS using Python, follow the below steps:
-
Install the
boto3library if not already installed using the command!pip install boto3 -
Import the necessary libraries and create an S3 client object:
import boto3
s3 = boto3.client('s3')
- Get the bucket’s current versioning configuration using the
get_bucket_versioningmethod:
bucket_name = 'your-bucket-name'
versioning = s3.get_bucket_versioning(Bucket=bucket_name)
- If the versioning is not enabled, enable it using the
put_bucket_versioningmethod:
if versioning['Status'] != 'Enabled':
s3.put_bucket_versioning(
Bucket=bucket_name,
VersioningConfiguration={
'Status': 'Enabled'
}
)
- Get the bucket’s current MFA delete configuration using the
get_bucket_mfa_deletemethod:
mfa_delete = s3.get_bucket_mfa_delete(Bucket=bucket_name)
- If the MFA delete is not enabled, enable it using the
put_bucket_mfa_deletemethod:
if not mfa_delete['MFADelete']:
s3.put_bucket_mfa_delete(
Bucket=bucket_name,
MFADelete='Enabled'
)
- To enable MFA delete, you need to provide the serial number of the MFA device and the current token code. You can prompt the user to input this information or retrieve it from a secure location.
mfa_serial = 'your-mfa-serial-number'
mfa_token = 'your-mfa-token-code'
s3.put_bucket_mfa_delete(
Bucket=bucket_name,
MFADelete='Enabled',
MFA='arn:aws:iam::YOUR_ACCOUNT_ID:mfa/{}'.format(mfa_serial),
VersioningConfiguration={
'Status': 'Enabled'
},
RequestPayer='requester',
MultiFactorAuthentication={
'SerialNumber': 'arn:aws:iam::YOUR_ACCOUNT_ID:mfa/{}'.format(mfa_serial),
'TokenCode': mfa_token
}
)
Note: Replace your-bucket-name, your-mfa-serial-number and your-mfa-token-code with the actual values.
- Once the above steps are completed, the S3 bucket should have MFA delete enabled.
Note: Make sure you have the necessary permissions to perform these actions.