Protecting AWS Objects With MFA Delete


n this post I’ll cover how to configure a bucket policy to require MFA delete and then give an example of how to perform an object deletion using the aws cli and a formatted json file.

At work I’ve set up several buckets to store long-term data. We don’t want this data accidentally deleted so I set up a policy to require Multi-Factor Authentication(MFA) for object deletion, and then restricted MFA access to administrators. I think this is probably a common scenario for many aws users, but I found the documentation to be a bit scattered without any concise examples of how to use set up the policy and then use the aws cli to perform a delete.

AWS MFA Delete Bucket Policy

Create a bucket policy that requires MFA delete. The below policy is an example, it requires MFA delete for any object, and requires that the auth be obtained within 5 minutes (300 seconds) for API access.

For more information, you can refer to the AWS Bucket Policy Examples Documentation.


Delete Objects JSON File

To delete an object with the cli, create a json file with the keys for all the objects you want to delete. You’ll need one file per bucket, below is an example. The “Quiet”:false directive means that you’ll receive a response back that you can then log to a file, if you change that to true you won’t receive any response back from AWS. Here’s an example of the my-delete.json file:


AWS S3API Command

Then simply submit your command. Here’s the command line, note the space between the MFA serial number and token code.


AWS Succeed Response

Here’s the response we receive from AWS in resp.json:

Leave a Reply

Be the First to Comment!

Notify of