When S3 buckets versioning is enabled it’s possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.
There is a risk if you answered yes to any of those questions.
It’s recommended to enable S3 MFA delete, note that:
x-amz-mfa header. x-amz-mfa header, can only be used in HTTPS. A versioned S3 bucket does not have MFA delete enabled for AWS provider version 3 or below:
resource "aws_s3_bucket" "example" { # Sensitive
bucket = "example"
versioning {
enabled = true
}
}
A versioned S3 bucket does not have MFA delete enabled for AWS provider version 4 or above:
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_versioning" "example" { # Sensitive
bucket = aws_s3_bucket.example.id
versioning_configuration {
status = "Enabled"
}
}
MFA delete is enabled for AWS provider version 3 or below:
resource "aws_s3_bucket" "example" {
bucket = "example"
versioning {
enabled = true
mfa_delete = true
}
}
MFA delete is enabled for AWS provider version 4 or above:
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_versioning" "example" {
bucket = aws_s3_bucket.example.id
versioning_configuration {
status = "Enabled"
mfa_delete = "Enabled"
}
mfa = "${var.MFA}"
}