AWS_Cloudtrail_5

Ensure CloudTrail Bucket MFA Delete Enabled

Description

AWS CloudTrail logging bucket should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

Remediation

Using AWS CLI

1. MFA Delete has to be enabled at the same time when you set the versioning state for your bucket. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket.

2. Use the MFA device enabled for your AWS root account and replace the highlighted details with your own details: the --mfa parameter value should have the following format: arn:aws:iam::aws_account_id:mfa/root-account-mfa-device mfa_device_passcode

3. Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if versioning and MFA delete protection were enabled

Service

CloudTrail

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!