Protect S3 Bucket with MFA and Bucket Policy

ArdiH

Here we go. MFA is the part of security. MFA is one of the most important tools in security. Not only to secure accounts when logging in, but MFA can also restrict users from doing something. I suggest to all readers of this article to be aware of activating MFA.

I will show you how to protect S3 bucket using MFA, but how we achieve this? 

We can check this scenario: 

Scenario

The idea is actually quite simple. Users with MFA can perform various operations, while users without MFA enabled cannot do anything. In this article I hope that everyone can get a clear picture of MFA and its relationship to the S3 bucket policy.

Note:
Make sure administrator (in scenario above) has activated MFA. There is MFA tools out there. You can install Google authenticator in your device, or Microsoft authenticator. 

To enable MFA you can check this link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html 

For testing, you may have at least 2 users for this scenario. I will show you which administrator and which another user. 

My primary user, act as administrator

The first user with the name ardihan, has been activated by MFA. For how to activate MFA, you can follow the following article https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

My another user

Next, create a new user, in this article I named it ardihtest to make it easier. This user does not use MFA, so treat it like creating a normal user.

Check my primary user

I know, I'm activated yet MFA for root account. But, don't worry, root account is safe 😆. As you can see in my primary user is integrated with MFA.

Next, create S3 bucket. 

Create S3 bucket named ardih-mfa

Change your tab to Permissions.

Permissions

Scroll down your S3 page and find Bucket policy.

Bucket policy

Hit Edit. 

Update this script with your own then Save changes. 

If you look at that code, actually you may find 2 statements. The first statement is deny everything, from all principal, and "aws:MultiFactorAuthPresent": "false".
The second statement is allow my primary user, represent in arn

It's all. You can check by uploading and delete file from your primary user and another user. And see what happen.