MFA Delete adds an extra layer of security by requiring an MFA code before anyone can permanently delete an object version or change versioning settings.

Purpose: Prevent accidental or malicious permanent deletion of data.

Requirements

When MFA Is Required vs Not Required

Action MFA Required?
Permanently delete an object version Yes
Suspend versioning on the bucket Yes
Enable versioning No
List deleted versions No
Add a delete marker (soft delete) No

How It Works

Without MFA Delete:

You --> delete object --> gone immediately

With MFA Delete:

You --> delete object --> system asks for MFA code
    --> enter code from device --> deletion proceeds
    --> wrong or missing code  --> deletion blocked

CLI Command to Enable

MFA Delete can only be enabled using the CLI with root credentials.

aws s3api put-bucket-versioning \\
  --bucket YOUR-BUCKET-NAME \\
  --versioning-configuration Status=Enabled,MFADelete=Enabled \\
  --mfa "arn:aws:iam::ACCOUNT-ID:mfa/root-account-mfa-device MFA-CODE" \\
  --profile root-profile