How to enable MFA delete for S3 buckets?

Reading Time: 9 minutes

With so many different services available in the cloud, any organization’s security must be a primary consideration. As a result, preserving data from inadvertent deletion should be at the top of the priority list. You can add an extra degree of protection to AWS S3 by configuring buckets to enable MFA delete, which can help prevent unintentional bucket deletions and their contents.

Securing objects from accidental deletion or an intended deletion is one of the important security concerns as it may affect the customers and the business.

To avoid such scenarios, AWS has a feature called MFA delete which can be implemented on the S3 buckets with Versioning Enabled. In this blog, we will demonstrate step-by-step implementation for enabling MFA delete on a S3 bucket.

In this blog, we will cover:

  • What is MFA delete?
  • Authentication required for MFA delete
  • Enable MFA on S3 bucket
  • Enable Versioning on S3 bucket
  • Install Google Authenticator
  • Activate MFA
  • Setup Access Key ID and Secret Access Key for Root Account
  • Install and Configure AWS CLI
  • Verify MFA delete
  • Testing and Verification
  • Disable MFA delete on S3 bucket
  • Conclusion

What is MFA delete?

When you try to delete a file, MFA delete simply protects the versioning of the file; when you delete the file, it actually deletes it from the bucket but preserves a version. When deleting through the AWS interface, the behavior is similar; it deletes the file but does not allow you to delete the version.

What is MFA delete?

This regulation can assist you in meeting the following compliance requirements:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • General Data Protection Regulation (GDPR)
  • APRA
  • MAS
  • NIST 800-53 (Rev. 4)

Working with the AWS Well-Architected Framework is made easier with this rule.

Versioning plays an important role in keeping multiple versions of the same file, using which MFA delete works.

MFA (Multi-factor Authentication) adds a layer of security from:

  • Changing the versioned state of the objects
  • Permanent delete of the versioned objects
What is MFA delete?

Authentication required for MFA delete

While configuring MFA delete on the S3 buckets, there are two forms of authentication required.

  • Your security credentials which is Access Key ID and Secret Access Key
  • Six-digit code from the approved authentication device such as Google authenticator installed on mobile


Enable MFA on the S3 bucket

To create an S3 bucket, Go to the S3 console

Click Create bucket, Enter the name for the S3 bucket and then click Create bucket.

Enable Versioning on S3 bucket

After the S3 bucket is created, Versioning can be either enabled using the command line interface or using the AWS console.

To enable versioning using the AWS console, Open the S3 console, Select the bucket.

Then select Properties.

Click Edit for Bucket Versioning

 And then Choose Enable and Click Save changes.

Versioning for the S3 bucket is Enabled.

Enabling versioning on the S3 buckets can be done using IAM users. But activating and deactivating MFA delete can only be performed by the Root user account.

Install Google Authenticator

Google Authenticator can be installed on Android and Iphone.

Install Google Authenticator in your mobile and then configure MFA for the Root account, as we are going to use this MFA code to enable and disable MFA delete.

To install the Google Authenticator, Go to Play Store / App Store and then Search for Google Authenticator.

Install and Open the Application.

MFA delete

Activate MFA

Minimum Required

  • Make sure AWS CLI is configured on the local system and have access for managing S3 buckets.
  • Root Account with MFA Enabled.

We need to collect these things first

  • S3 bucket in a Region
  • MFA Secret for the Root account. 

To Enable MFA, Click the Account name and then choose My Security Credentials.

You should see the following screen.

MFA delete

Then Click Activate MFA on the Root Account.

For Manage MFA device, Choose Virtual MFA device and click Continue.

Click Show QA code and Scan the code with the mobile using the Google Authenticator.

MFA delete

To Scan the Code, Click + icon in the Google Authenticator App.

And then Choose Scan a QR code.

MFA delete

After scanning, the account will be added to the Google Authenticator.

A 6 digit code will be generated in the mobile application, which should be entered here.

After entering the codes, Click Assign MFA.

The Virtual MFA device was successfully added.

Under MFA, you can find the Serial Number which we will use while enabling MFA delete on S3, so make a note of it.

MFA delete

Setup Access Key ID and Secret Access Key for Root Account

We should set up access and secret keys, as the activating and deactivating of MFA delete on the S3 bucket can be performed only using AWS CLI.

Under Access keys, Click Create New Access key


And then download the key file.


Using the Access key ID and Secret access key, let’s go ahead and install, and configure AWS CLI on the local system.

Install and Configure AWS CLI

To install AWS CLI on Ubuntu operating system.

sudo apt-get install awscli

Run the below command to configure AWS CLI.

aws configure

You will be asked to enter an access key and secret access key and the region where the S3 bucket is created.

Now the aws cli is configured on the system.

To get the lists of Available buckets in the Account

  • aws s3api list-buckets
MFA delete

You can also run the below command.

  • aws s3 ls

To check whether versioning is enabled in a particular bucket.

aws s3api get-bucket-versioning –bucket BucketName

If it doesn’t reply to anything that means versioning is not enabled in this bucket.

Having the details of the MFA Serial and the MFA code, we are going to enable the MFA delete on the S3 bucket.

Running the below command.

aws s3api put-bucket-versioning --profile my-root-profile --bucket my-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::00000000:mfa/root-account-mfa-device 123456”

From the above command, This is what we are doing.

put-bucket-versioning – We are going to apply Versioning

–profile – Is your AWS CLI profile, by default the profile is default and you can check the profile under AWS folder and credentials file

–bucket – mention your bucket name here

–mfa – provide the Serial Number of the Root MFA

Finally, the six-digit code from the Google Authenticator.

Now we have successfully applied MFA delete on the S3 bucket.

Verify MFA delete

We can verify whether the versioning and the MFA delete is enabled for the bucket using the below command.

aws s3api get-bucket-versioning --bucket bucketname

As you can see, the versioning and MFA delete are Enabled.

Alternatively, versioning and MFA delete status can be checked from the S3 console.

Go to S3 console, Select the bucket and then choose Properties

Under Bucket Versioning, you can see that the versioning and MFA delete are Enabled.

Testing and Verification

The MFA delete is only for the versioned objects, which means if you delete the actual file it will delete it but it will keep all the versions of the file.

Deleting a File

In my bucket I have a file named “mfa delete”.

I am going to delete it using the below command.

aws s3api delete-object --bucket workfall-mfa-bucket --key "mfa delete"

As you can see the main file is deleted without the need of the MFA.

MFA delete

If the above action is performed using the AWS console, it will still delete the actual file but it will retain all the versions of that file.

Deleting Version of a File without MFA

For testing this, I have created a file named MFA and uploaded it to the S3 bucket.

Then I made some changes to the file and re-uploaded it to the bucket with the same file name and it is added as a version (Current version) of that file.

To check the same, Click the File and then choose Versions

MFA delete

You can see that the latest uploaded file with the changes is marked as Current Version and has the version ID for the same.

Using the below command, let’s try to delete the version of a file without MFA.

aws s3api delete-object --bucket bucketname --key mfa --version-id cWHSLEi09A8iDXPOUPtbqvRgFihMCIB_

From the screenshot below, you can see it throws an Authentication error. Even if it is a root user, without MFA, the version of the object cannot be deleted.

Deleting version of File using MFA

Let’s try to delete the same version of the file using MFA.

aws s3api delete-object --profile default --bucket bucketname --key test1 --version-id cWHSLEi09A8iDXPOUPtbqvRgFihMCIB_ --mfa "arn:aws:iam::0000555500:mfa/root-account-mfa-device 983951"

From the screenshot, you can see that the version of the object is deleted with the help of MFA.

Let’s verify the same using the AWS S3 console.

Go to the S3 bucket, choose the bucket name and select the file name.

And then choose versions. Here you can find that the version of the file is deleted.

And the actual file became the Current version which has its own version ID.

Disable MFA delete on S3 bucket

Let’s say you want to keep the versioning, but want to delete the MFA delete on the S3 bucket.

You can achieve this using the below command.

aws s3api put-bucket-versioning --profile default --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::0000050505:mfa/root-account-mfa-device 880365"

aws s3api get-bucket-versioning --bucket workfall-mfa-bucket --profile workfall

MFA delete

Using the above command, we have just disabled the MFA delete on the S3 bucket.


In this blog, we have added a layer of security for the versioned objects in the S3 buckets using MFA delete from accidental deletion. MFA delete adds a layer of security for the objects stored in the S3 bucket which can only be Enabled and Disabled by the Root User. Deleting the versioned object is not even possible for the root user unless MFA is used. We have implemented a strategy to secure the file stored in the S3 bucket using versioning and MFA delete features offered by AWS. Stay tuned to keep getting all updates about our upcoming new blogs on AWS and relevant technologies.

Meanwhile …

Keep Exploring -> Keep Learning -> Keep Mastering

This blog is part of our effort towards building a knowledgeable and kick-ass tech community. At Workfall, we strive to provide the best tech and pay opportunities to AWS-certified talents. If you’re looking to work with global clients, build kick-ass products while making big bucks doing so, give it a shot at today.

Back To Top