Score:0

Enable MFA S3 delete

wf flag

I have THALES TOTP hardware tokens (MFA) which I would like to use as and additional protection against the accidental S3 object deletion (https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html)

I know how to do that via AWS CLI and that it can be only enabled by the root of the account. But what I do not understand is who should be owner of the token devices? It cannot be root, because assigning it to the root automatically enables the token for AWS Console sign in plus there is maximum of 8 devices...

If the MFA is not assigned to any user I got this error: An error occurred (NotDeviceOwnerError) when calling the PutBucketVersioning operation: The device with serial number XXXXXXXXX that generated token 123456 is not owned by the authenticated user

The reason I required the token is that while using the WORM S3 buckets (i.e. Object versioning + Object Lock and Retention Mode) some users can still delete the files and even they are not really deleted, but use the delete marker, it is extremely confusing and some tools do not know how to work with versioning, so the files (objects) look deleted.

I do not see any other option how to solve that problem. On one side I want the users to have full S3 permissions, but there are buckets, which must be READ-ONLY....

I will be grateful for any advice.

Petr

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.