Amazon S3开启MFA删除保护实践

对象存储是云中非常流行的服务，通常组织迁移到云中的第一件事就是对象存储。数据存放在云中，安全是头等大事。防止意外删除、保护数据是一项重要功能。在Amazon S3中，您可以通过配置存储桶启用MFA删除，这有助于防止意外的存储桶内容及桶删除。

说明

MFA是用户登录账号除了使用用户名/密码之外增加的一层外层保护。AWS支持虚拟MFA认证（在手机或其他移动设备上运行，基于时间同步的一次性密码算法生成六位数字代码），增强账户安全性。

存储桶拥有者、创建存储桶的Amazon账户（根账户）以及所有授权的IAM用户都可以启用版本控制，但只有存储桶拥有者（根账户）才能启用MFA删除（中国区无根用户无法使用该功能）。

创建一个存储桶

查看当前存储桶属性

当前存储桶的版本控制和MFA删除保护都是禁用状态。MFA删除保护在Console界面无法配置，需要使用CLI或REST API实现。

在操作终端安装CLI

安装CLI参考：https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/cli-chap-install.html

使用CLI执行命令

aws s3api put-bucket-versioning --bucket bucketname \
  --versioning-configuration Status=Enabled,MFADelete=Enabled \
  --mfa "arn:aws:iam::xxxxxxxxxxxx:mfa/root-account-mfa-device 123456"

启用版本控制及删除保护。

删除存储桶验证

删除桶需要先删除所有对象。

启用版本控制后，选择删除对象，只可以增加删除标记。

选择删除对象版本提示报错。

S3桶MFA保护配置完成。

使用MFA删除对象

如果需要删除对象，需要使用CLI配合MFA执行命令：

aws s3api delete-object --bucket my-bucket-name \
  --key my-file-name.jpg \
  --version-id myfileVeRsioNiU8u4DTsqUg9NR_Z_SA \
  --mfa "arn:aws:iam::xxxxxxxxxxxx:mfa/root-account-mfa-device 123456"

参考资料：

返回技术博客

Object storage is one of the most popular services in the cloud — often the first thing organizations migrate when moving to the cloud. With data stored in the cloud, security is paramount. Preventing accidental deletion and protecting data is a critical capability. In Amazon S3, you can enable MFA Delete on a bucket to help prevent accidental deletion of bucket contents or the bucket itself.

Overview

MFA (Multi-Factor Authentication) adds an extra layer of protection on top of username and password. AWS supports virtual MFA devices (software apps running on a phone or mobile device that generate a 6-digit time-based one-time password), enhancing account security.

The bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning. However, only the bucket owner (root account) can enable MFA Delete. Note: this feature is not available for root-less accounts in the China region.

Create a Bucket

View Current Bucket Properties

Both versioning and MFA Delete are currently disabled. MFA Delete cannot be configured through the AWS Console — it must be enabled via the CLI or REST API.

Install the AWS CLI

Refer to the installation guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html

Enable MFA Delete via CLI

aws s3api put-bucket-versioning --bucket bucketname \
  --versioning-configuration Status=Enabled,MFADelete=Enabled \
  --mfa "arn:aws:iam::xxxxxxxxxxxx:mfa/root-account-mfa-device 123456"

This enables both versioning and MFA Delete protection.

Verify Deletion Protection

To delete a bucket, all objects must be deleted first.

With versioning enabled, deleting an object only adds a delete marker.

Attempting to delete an object version will return an error.

S3 bucket MFA Delete protection is now configured.

Deleting Objects with MFA

To delete an object version, use the CLI with your MFA token:

aws s3api delete-object --bucket my-bucket-name \
  --key my-file-name.jpg \
  --version-id myfileVeRsioNiU8u4DTsqUg9NR_Z_SA \
  --mfa "arn:aws:iam::xxxxxxxxxxxx:mfa/root-account-mfa-device 123456"

References:

Back to Tech Blog

Amazon S3 MFA Delete Protection Practice

说明