MFA (Multi-Factor Authentication) Delete
Wasabi supports the “x-amz-mfa” header while:
configuring versioning on a bucket, or
deleting objects with delete object requests compatible with AWS S3.
Wasabi does not require the “x-amz-mfa” header if the user's access credentials signing the request were authenticated with MFA. Wasabi only supports virtual MFA devices.
(Refer also to Workflow for Lifecycle Rule Implementation.)
Checking MFA-Delete Status for an S3 Bucket
To determine whether MFA-Delete is enabled for your S3 bucket, use the get-bucket-versioning command in the AWS CLI:
aws s3api get-bucket-versioning --bucket BUCKETNAME --profile WASABIPROFILE --endpoint-url=https://s3.BUCKETREGION.wasabisys.comThe output will indicate the versioning status and whether MFA-Delete is enabled. For example:
{
"Status": "Enabled",
"MFADelete": "Enabled"
} Status: Enabled indicates that versioning is active.
MFADelete: Enabled confirms that MFA-Delete is enabled for the bucket
Managing MFA-Delete Using the AWS CLI
The following are prerequisites for managing MFA-Delete using the AWS CLI:
Versioning is enabled on the bucket.
Root account credentials are configured with MFA.
AWS CLI v2 is installed.
Use this command to enable MFA-Delete:
aws s3api put-bucket-versioning --bucket BUCKETNAME --versioning-configuration MFADelete=Enabled,Status=Enabled --mfa "arn:aws:iam::ACCOUNTID:mfa/root-account-mfa-device MFACODE” --endpoint-url=https://s3.BUCKETREGION.wasabisys.com –profile WASABIPROFILEUse this command to disable MFA-Delete:
aws s3api put-bucket-versioning --bucket BUCKETNAME --versioning-configuration MFADelete=Disabled,Status=Enabled --mfa "arn:aws:iam::ACCOUNTID:mfa/root-account-mfa-device MFACODE” --endpoint-url=https://s3.BUCKETREGION.wasabisys.com –profile WASABIPROFILE