Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

S3 MFA-Delete and Object Lock support

See original GitHub issue

I don’t see how to enforce MFA Delete and Object Locking in an S3 Bucket.

I can’t find MFA-Delete in CloudFormation, but ObjectLock is:

Type: AWS::S3::Bucket
Properties: 
  ObjectLockConfiguration: 
    ObjectLockConfiguration
  ObjectLockEnabled: Boolean

Use Case

Define Buckets with MFA-Delete and Object Lock enabled from the start.

Proposed Solution

Add the properties to the S3.Bucket object. Workaround: Doing it manually after creation.

Other

Maybe it already exists, or another workaround exists, and I didn’t find it. Thanks.

This is a 🚀 Feature Request

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:9
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
ryparkercommented, Sep 29, 2021

Came across this issue when looking for ways to configure Object Lock. Here’s my workaround that uses escape hatches:

import { Bucket, CfnBucket } from '@aws-cdk/aws-s3'

const bucket = new Bucket(stack, 'Bucket', {
  ...
  versioned: true, // Bucket versioning is required when enabling ObjectLock
});

// Get the CloudFormation resource
const cfnBucket = bucket.node.defaultChild as CfnBucket;
// Add the ObjectLockConfiguration prop to the Bucket's CloudFormation output.
cfnBucket.addPropertyOverride('ObjectLockConfiguration.ObjectLockEnabled', 'Enabled');

ObjectLockConfiguration CloudFormation docs

1reaction
EugRomanchenkocommented, Jan 28, 2022

Thanks for your input @ryparker But I tried again to cdk deploy after a cdk destroy, making sure the buckets were not existing, with the following setup and am still having the error.

const bucket = new s3.Bucket(this, id, {
  bucketName: bucketName,
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
  versioned: true,
  publicReadAccess: false,
  autoDeleteObjects: isDev ? true : false,
});
const cfnBucket = bucket.node.defaultChild as s3.CfnBucket;
cfnBucket.addPropertyOverride(
  "ObjectLockConfiguration.ObjectLockEnabled",
  "Enabled"
);

One more parameter overwrite is missing to enable Object Lock (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.CfnBucketProps.html):

cfnBucket.addPropertyOverride(
  "ObjectLockEnabled",
  true
);
cfnBucket.addPropertyOverride(
  "ObjectLockConfiguration.ObjectLockEnabled",
  "Enabled"
);
Read more comments on GitHub >

github_iconTop Results From Across the Web

Configuring MFA delete - Amazon Simple Storage Service
MFA delete can help prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an...
Read more >
S3 Bucket MFA Delete Enabled - Trend Micro
Ensure S3 buckets have an MFA-Delete policy to prevent deletion of files without an MFA token.
Read more >
How To Enable MFA Delete S3 Bucket Feature - Searce
MFA Delete Feature on S3 Bucket · Create bucket · Provide Bucket name and Region details · Chose Bucket Object Ownership · Block...
Read more >
MFA Delete Archives - Jayendra's Cloud Certification Blog
MFA Delete · Additional security can be enabled by configuring a bucket to enable MFA (Multi-Factor Authentication) for the deletion of objects.
Read more >
How to Enable MFA Delete on AWS S3 Buckets?
Therefore, protecting data with accidental delete also should be included in the top list of operations. In AWS S3 you can optionally add...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Add ability to add EC2 key-pair

Next page

cli: improve colors used in CLI output to be friendly for dark/light background terminals