S3 MFA Delete

1 Minute


When you create a new AWS account, one of the first things you're supposed to do is setup Multi-Factor Authentication (MFA). This added layer of security is a way to make sure you have the registered MFA device in your possession.

Once MFA is setup you have to enter a code at login, but is that the only time MFA comes into play?

What is MFA Delete?

Why would I use it?

Can't Delete Object Versions

How to enable MFA Delete

MFA Delete is part of the Bucket Versioning settings. If you try to edit it in the console, however, you'll see its status but can't edit it.

Enable Bucket Versioning

Turns out you can only enable MFA Delete from the CLI, using the account's root user. You need to use the root user since

ā„¹ Bucket Owner

You may think that the bucket owner would be the user that created it, but in AWS it's actually the account that created the bucket. See the S3 User Guide for more details.

aws s3api put-bucket-versioning \
--bucket {BUCKET_NAME} \
--versioning-configuration '{"MFADelete":"Enabled", "Status": "Enabled"}' \
--mfa 'arn:aws:iam::{ACCOUNT_NUMBER}:mfa/root-account-mfa-device {MFA_CODE}'

MFA Delete Enabled