rspec/rules/S6255/terraform/rule.adoc

When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.


== Ask Yourself Whether

* The S3 bucket stores sensitive information that is required to be preserved on the long term.
* The S3 bucket grants delete permission to many users.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It's recommended to enable S3 MFA delete, note that:

* MFA delete can only be enabled with the AWS CLI or API and with the root account.
* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.


== Sensitive Code Example

A versioned S3 bucket does not have MFA delete enabled for AWS provider version 3 or below:

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"

  versioning {
    enabled = true
  }
}
----

A versioned S3 bucket does not have MFA delete enabled for AWS provider version 4 or above:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" { # Sensitive
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
  }
}
----

== Compliant Solution

MFA delete is enabled for AWS provider version 3 or below:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"

  versioning {
    enabled = true
    mfa_delete = true
  }
}
----

MFA delete is enabled for AWS provider version 4 or above:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
  mfa = "${var.MFA}"
}
----

== See

* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete
* CWE - https://cwe.mitre.org/data/definitions/308[CWE-308 - Use of Single-factor Authentication]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure allowing object deletion without MFA is safe here.


endif::env-github,rspecator-view[]