Enable AWS S3 MFA delete with the console

Make sure you have Root User Account Keys for CLI access, you can generate them using these instructions: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_add-key Otherwise you get the error:

An error occurred (InvalidArgument) when calling the PutBucketVersioning operation: Mfa header is invalid

Working example:

enter image description here

Instructions:

aws configure.

View the accounts S3 buckets:

aws s3 ls

List the Virtual MFA Devices:

aws iam list-virtual-mfa-devices

Using the S3 Bucket name, the virtual mfa device ARN and your google authenticate app to generate the mfa code, enter this command:

aws s3api put-bucket-versioning --bucket <yourbucket> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account number>:mfa/root-account-mfa-device <mfa code>"

Result:

Check your bucket has MFA Delete Enabled:

enter image description here

Rollback:

The operation can be reversed:

{
  "MFADelete": "Enabled"|"Disabled",
  "Status": "Enabled"|"Suspended"
}

No - you can enable versioning on the bucket but you cannot enable MFA delete.

You can do it via the AWS CLI:

aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-mfa-serial-number mfa-code"

Note that the command above also enables bucket versioning.

Enable AWS S3 MFA delete with the console

Working example:

Instructions:

Result:

Rollback:

Tags:

Amazon S3

Amazon Web Services

Related

Recent Posts