How Arjun Discovered MFA Delete After Accidentally Deleting an S3 Object
4 min read
It was a typical Monday morning when Arjun made a mistake. While cleaning up some S3 buckets, he permanently deleted an important versioned object. There was no going back.
Later that day, his mentor asked him, “Did you have MFA Delete enabled?”
Arjun blinked. “What’s that?”
Let’s dive into MFA Delete — a critical S3 security feature that can save you from accidental or malicious deletions.
🔍 What Is MFA Delete?
MFA stands for Multi-Factor Authentication. It’s a way to add a second layer of protection by requiring a one-time code from:
A mobile app like Google Authenticator or Authy
A hardware MFA device (like a YubiKey)
MFA Delete is a special S3 feature that adds this protection to certain destructive actions — specifically:
✅ MFA is required for:
Permanently deleting object versions
Suspending versioning on a bucket
These operations are irreversible or potentially dangerous. Amazon wants to make sure you really mean it — hence, MFA.
🛑 MFA is NOT required for:
Enabling versioning
Listing deleted versions
Restoring versions
So, you only get prompted for MFA when it matters most.
🪣 How MFA Delete Works
Let’s go back to Arjun.
Step 1: He enables Versioning on an S3 bucket.
This creates a new version every time he uploads or modifies a file.
Step 2: He wants to protect against accidental deletions.
So he enables MFA Delete — but here’s the catch:
❗ Only the root user (not IAM users) can enable or disable MFA Delete.
That’s right. This is an advanced security feature that requires access to the AWS account’s root credentials.
Step 3: He links an MFA device (via AWS IAM) to the root user.
Now, when Arjun (or anyone else) tries to:
Permanently delete an object version
Suspend versioning on the bucket
They’ll be prompted to enter a code from the MFA device.
No code? No deletion.
⚙️ Enabling MFA Delete: The Hard Truth
This isn’t something you can do from the AWS Management Console. It requires the AWS CLI or API. And since it involves the root user, you should be very careful.
🧠 AWS SAA Exam Tip
If a question talks about preventing permanent deletion in S3, and mentions extra protection, the correct answer is often MFA Delete.
Remember: Only the root user can enable/disable MFA Delete.
Versioning must be enabled before MFA Delete can be used.
✅ Summary: What Arjun Learned
MFA Delete protects against accidental or malicious permanent deletions
It's only used in very specific S3 actions
You must use the root account + CLI to enable it
This is a very common AWS SAA exam question
MFA Delete may sound complicated at first, but it's like a security seatbelt — you don’t always need it, but when you do, you’ll be thankful it’s there.
More AWS SAA Articles
Understanding Amazon S3 Storage Classes for Smarter Storage Solution
How to Effectively Use Amazon S3 Replication for Data Duplication
AWS Load Balancers: How Deregistration Delay Ensures Seamless Shutdowns