download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Amazon S3 - Enable MFA Delete

Amazon S3 supports creating objects as well as deleting objects. When you do not want to keep an Amazon S3 Object in S3 Bucket and want to reduce your monthly bill, then you can delete the object usind DELETE Object Rest API. Once it gets deleted from Amazon S3, you cann't retrieve it back. To protect your data from unwanted delete or accidentally delete, we recommend you to enable MFA Delete on your S3 Bucket. MFA (Multi-Factor Authentication) Delete is used to enforce second authentication with MFA Code, when accessing sensitive Amazon S3 resources.

You have the option of enabling MFA Delete at the same time when you specify the versioning state of the bucket. Once you enabled MFA delete, all future requests to change the versioning state or delete a version will require the request header x-amz-mfa . When MFA Delete option enabled on S3 Bucket on every Delete Object Rest API request you must send registered MFA Device's Serial Number and its AuthenticationCode. After successfully authentication, S3 Object get deleted from Amazon S3.

Enable MFA Delete on the S3 Bucket in one of the two ways:

  • Enable MFA DELETE Option on Bucket using Amazon S3 REST API - Write your own software code to enable MFA Delete use PUT Versioning Rest API in your code with VersioningConfiguration xml which contains MFA Delete and Versioning Status.
  • Enable MFA DELETE Option on Bucket using Bucket Explorer - You can enable MFA Delete and S3 Versioning on S3 Bucket using Bucket Explorer User Interface if you do not want to write software code.


Enable MFA Delete using Amazon REST S3 API:

To enable MFA Delete using Amazon S3 API, you can send a PUT request which includes "x-amz-mfa" request header. The Requests that include "x-amz-mfa" must use HTTPS.

The following request enables versioning and MFA Delete on bucket.

PUT /?versioning HTTPS/1.1
Host: BucketName
Date: Date
Authorization: Signature
Content-Type: ContentType
Content-Length: Length-of-Content
x-amz-mfa: [SerialNumber] [AuthenticationCode]

<VersioningConfiguration xmlns="">
<Status> Enabled </Status>
<MfaDelete> Enabled </MfaDelete>

MFA Delete using Bucket Explorer:

Bucket Explorer provides you with Set Versioning with MFA Delete option to prevent malicious access. While the "PUT Versioning" API allows you to set versioning on the bucket by using codes, Bucket Explorer lets you do that easily and not need to write any codes at all.

Follow the steps below to set MFA delete on bucket using Bucket Explorer:

  1. Run Bucket Explorer.
  2. Connect to your AWS S3 Account using Bucket Explorer.
  3. Select the desired S3 Bucket from bucket table, on which you want to set versioning with MFA Delete.
  4. Right click on that bucket and choose " Versioning " option or click on " Advanced " button on bucket toolbar. It will show drop down options. Select " Versioning " among them.
  5. Click on "Set" option.
  6. A Set Versioning window will appear with two options to enable "Versioning" and "MFA Delete".
  7. If you have already enabled Versioning then you can choose "MFA Delete" option to delete existing version(s) using MFA or you can choose both options to enable "Versioning" and "MFA Delete".
  8. Then click on Set button.
  9. It will ask for the Serial number and a valid six-digit code from authentication device.
  10. Enter these valid values and click on Done.
  11. Versioning with MFA delete will be enabled successfully.