MFA delete disabled on AWS S3 bucket
Description
AlphaSOC detected the disabling of multi-factor authentication (MFA) delete protection on an Amazon Simple Storage Service (S3) bucket. MFA delete requires users to authenticate with a hardware or virtual MFA device before deleting objects or changing bucket versioning settings. This finding indicates that an additional security layer against unauthorized deletions was removed from an AWS S3 bucket.
Impact
Removing MFA delete protection increases the risk of accidental or unauthorized deletion of S3 bucket contents. Threat actors can permanently delete data without requiring secondary authentication, potentially leading to data loss, business disruption, and compliance violations.
Severity
| Severity | Condition |
|---|---|
Medium | MFA delete disabled on AWS S3 bucket |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user who disabled MFA delete and determine if the action was authorized. Re-enable MFA delete protection immediately if the change was unauthorized. Audit S3 bucket configurations and implement appropriate versioning and backup policies.