Protecting your S3 data

How to protect your precious S3 data from being deleted
Recently I worked on creating Cloud Custodian policies to maintain a Sandbox
environment. In the course of development and testing an unexpected action
occurred resulting in the deletion of multiple S3 Buckets. Here I will discuss
ways to protect this data and prevent accidental deletion of files.

Use MFA (Multi-Factor Authentication) or Versioning
This AWS Document
[]  discusses
this topic in more detail. One of my coworkers reported having encountered
extreme difficulty in trying to delete files from a bucket and the bucket itself
after affecting the MFA protection. While MFA will protect your bucket from
deletion the other option is Versioning. Versioning will allow you to store
multiple versions of your files.

An easy way to protect your bucket with the MFA Delete protection and/or
Versioning is via Terraform. Using Terraform you can apply versioning to your
bucket like this example: (Note the versioning).
In this example we are enabling versioning by using the enabled = true
statement and forcing MFA Delete protection with the mfa_delete = true

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  versioning {
    enabled = true
    mfa_delete = true

I will include other IaC examples as time permits.
Future enhancements:

  • Ansible
  • Others?