MFA Delete in S3

In Amazon S3 (Simple Storage Service) security, MFA (Multi-Factor Authentication) Delete is a feature that adds an extra layer of protection to prevent accidental or malicious deletion of data.

What is MFA Delete?

MFA Delete is a security feature in Amazon S3 that requires users to provide an additional authentication factor, in addition to the standard AWS credentials, to delete objects from a bucket. This helps to prevent unauthorized deletions and adds an extra layer of security for sensitive data.

How MFA Delete Works

When MFA Delete is enabled on an S3 bucket, the following actions require MFA authentication:

  1. Change the versioning state of the bucket (e.g., from enabled to suspended).
  2. Permanently delete an object version.

Steps to Enable MFA Delete

  1. Enable Versioning on the Bucket: MFA Delete can only be enabled if versioning is enabled on the S3 bucket.
  1. Enable MFA Delete: You must have root account access to enable MFA Delete.

Example Scenario

  1. Versioning Enabled: With versioning enabled, S3 keeps multiple versions of an object. If an object is deleted, only the latest version is marked for deletion while older versions remain intact.
  2. MFA Delete Enabled: To delete an object version permanently, MFA Delete requires the user to authenticate using MFA, ensuring an extra layer of verification.

Benefits of MFA Delete

  1. Prevents Accidental Deletions: Reduces the risk of accidental deletions by requiring MFA for deletions.
  2. Enhances Security: Adds an additional layer of security, especially important for critical data.
  3. Protection Against Unauthorized Access: Mitigates the risk of unauthorized deletions due to compromised credentials.

Managing MFA Devices

To use MFA Delete, you need an MFA device associated with your AWS account. AWS supports various types of MFA devices, including virtual MFA apps (e.g., Google Authenticator), U2F security keys, and hardware MFA devices.

Limitations and Considerations

  1. Root Account Requirement: Enabling or disabling MFA Delete requires root account credentials.
  2. Complexity in Management: Requires careful management of MFA devices and ensuring root account credentials are secure.
  3. API Limitations: Certain operations, like enabling MFA Delete, must be done via the AWS CLI or SDKs, not the AWS Management Console.

Commands for Using MFA Delete

  • To Delete an Object Version with MFA:

To disable MFA Delete on an Amazon S3 bucket, you must use the AWS CLI with root user credentials. Here are the steps to disable MFA Delete:

  1. Ensure You Have the Root User Credentials: Make sure you have the root user credentials configured in an AWS CLI profile.
  2. Disable MFA Delete: Use the put-bucket-versioning command to disable MFA Delete on your S3 bucket. Note that disabling MFA Delete does not disable bucket versioning; it only removes the requirement for MFA when changing the versioning state or deleting object versions.

CLI Command to Disable MFA Delete:


  • BUCKET-NAME: Replace with the name of your S3 bucket.
  • arn:aws:iam::123456789012:mfa/root-account-mfa-device: Replace with the ARN of your MFA device.
  • 123456: Replace with the current MFA code from your device.
  • --profile root: This flag specifies that the command should use the root profile, which should have the root user credentials configured.


Suppose your bucket name is my-bucket, the ARN of your MFA device is arn:aws:iam::123456789012:mfa/root-account-mfa-device, and your current MFA code is 654321. The command would look like this:

Important Notes:

  • Root User Requirement: Disabling MFA Delete requires root user credentials, as this operation requires elevated permissions.
  • Versioning Remains Enabled: This command does not disable versioning; it only disables the MFA requirement for versioning-related operations.

By executing this command, you disable MFA Delete on the specified S3 bucket while keeping versioning enabled.


MFA Delete is a powerful feature for securing data in Amazon S3 by requiring multi-factor authentication for critical operations. It ensures that even if primary credentials are compromised, unauthorized deletions can still be prevented, making it an essential tool for protecting sensitive data in S3.

By implementing MFA Delete, organizations can significantly enhance their data protection strategy, safeguarding against both accidental and malicious deletions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top