Your weekly dose of actionable cloud wisdom to start the week right
The Problem
One misplaced script, one wrong CLI command, or one compromised access key could wipe out critical data in your S3 buckets. Even with versioning enabled, malicious actors or accidents can delete object versions and the bucket itself.
The Solution
Enable MFA Delete on your important S3 buckets. This requires multi-factor authentication for:
- Permanently deleting object versions
- Suspending or changing bucket versioning
How to Enable (CLI method):
# First, enable versioning if not already enabled
aws s3api put-bucket-versioning \
--bucket your-bucket-name \
--versioning-configuration Status=Enabled,MFADelete=Enabled \
--mfa "arn:aws:iam::123456789012:mfa/your-mfa-device 123456"
Important:
- Only the bucket owner (root account) can enable MFA Delete
- You’ll need your MFA device ARN and current MFA code
- This CANNOT be done through the AWS Console – CLI only
Why It Matters
- Data Protection: Extra layer against accidental deletion
- Compliance: Many regulations require deletion controls
- Peace of Mind: Sleep better knowing critical data is protected
- Incident Response: Buys you time to investigate suspicious deletion attempts
Try This Week
- Identify your 3 most critical S3 buckets
- Enable MFA Delete on at least one of them
- Document the process for your team
- Test the MFA requirement by attempting to delete a test object version
Pro Tip: Consider this for buckets containing backups, config files, or any data that would be painful to lose.
Got a cloud tip you’d like to share? Drop me a line – I’d love to feature community wisdom in future Monday tips!
