Control: CloudTrail trail S3 buckets MFA delete should be enabled
Description
Ensure that CloudTrail trail S3 buckets should have MFA delete enabled. MFA delete helps prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code and adding an extra layer of friction and security to the delete action.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudtrail_trail_bucket_mfa_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudtrail_trail_bucket_mfa_enabled --shareSQL
This control uses a named query:
select t.arn as resource, case when t.s3_bucket_name is null then 'alarm' when b.versioning_mfa_delete then 'ok' else 'alarm' end as status, case when t.s3_bucket_name is null then t.title || ' logging disabled.' when b.versioning_mfa_delete then t.title || t.s3_bucket_name || ' MFA enabled.' else t.title || t.s3_bucket_name || ' MFA disabled.' end as reason , t.region, t.account_idfrom aws_cloudtrail_trail t left join aws_s3_bucket b on t.s3_bucket_name = b.namewhere t.region = t.home_region;