CloudTrail Bucket Delete Policy

Quick Info

Detailed Remediation Steps

1. Log into the AWS Management Console.
2. Select the “Services” option and search for “CloudTrail”.
   
3. In the “Dashboard” panel click on “View trails” button.
   
4. Select the “trail” that needs to be verified under “Name” column.
   
5. Scroll down and under the “Storage location” option check the S3 bucket used to store log data.
   
6. Go to “Services” and search for “S3” to go into S3 buckets dashboard.
   
7. Select the “S3 bucket” used to store data log in CloudTrail.
   
8. Enabling MFA using AWS Management Console is not supported as of now. MFA can be enabled using AWS API. Configure “AWS CLI” with your own “AWS Key Id” and “AWS Secret Key” as well as configure MFA for your root account.
9. Follow the commands to “Enable MFA”.
10. To list buckets in AWS account: aws s3api list-buckets –query ‘Buckets[*].Name’
    
11. To verify if the selected “CloudTrail bucket” has object versioning enabled : aws s3api get-bucket-versioning –bucket shukla008
    
12. To enable “MFA Delete” and “Versioning” of the selected “CloudTrail bucket” : aws s3api put-bucket-versioning –bucket shukla008 –versioning-configuration Status=Enabled,MFADelete=Enabled –mfa ‘arn:aws:iam::10260454563607:mfa/root-account-mfa-device 531098’
    
13. To verify if “MFA Delete” and “Versioning” of the selected “CloudTrail bucket” is enabled. It returns output as Enabled Enabled if “MFA and Versioning” are “Enabled” : aws s3api get-bucket-versioning –bucket shukla00
    
14. To list select “CloudTrail bucket” object versions : aws s3api list-object-versions –bucket shukla008
    
15. To examine try and delete the S3 object version without “MFA” token : aws s3api delete-object –bucket shukla008 –version-id “HBU7m.mOKZhxuXXDl5Y9c1Iu6.XWQkxu” –key demo.txt
    
16. MFA Delete is enabled on selected “CloudTrail bucket”.