1
00:00:00,180 --> 00:00:01,430
All right, you are going to talk about

2
00:00:01,430 --> 00:00:02,710
MFA-Delete in depth.

3
00:00:02,710 --> 00:00:07,230
So MFA-Delete is to use MFA, so multi-factor authentication,

4
00:00:07,230 --> 00:00:09,130
and that will force our users

5
00:00:09,130 --> 00:00:11,200
to generate a code on the device,

6
00:00:11,200 --> 00:00:13,450
it could be your mobile phone or your hardware key

7
00:00:13,450 --> 00:00:15,780
to do important operations on S3.

8
00:00:15,780 --> 00:00:17,440
So to use MFA-Delete,

9
00:00:17,440 --> 00:00:19,830
we have to first enable versioning on the S3 bucket,

10
00:00:19,830 --> 00:00:21,140
but you already know this.

11
00:00:21,140 --> 00:00:24,960
And when we need MFA will be to permanently delete

12
00:00:24,960 --> 00:00:28,090
an object version and suspended versioning on the bucket.

13
00:00:28,090 --> 00:00:30,450
So these are like the most important disruptive action

14
00:00:30,450 --> 00:00:31,970
that we'll need MFA for,

15
00:00:31,970 --> 00:00:36,380
but if we just enable versioning or list deleted versions,

16
00:00:36,380 --> 00:00:39,360
or just delete a version by just adding a marker,

17
00:00:39,360 --> 00:00:41,870
this is fine, we don't need MFA for that.

18
00:00:41,870 --> 00:00:45,010
The one important thing to know is that MFA-Delete

19
00:00:45,010 --> 00:00:48,270
must be enabled or disabled only by the bucket owner,

20
00:00:48,270 --> 00:00:49,790
which is the root accounts.

21
00:00:49,790 --> 00:00:51,760
So even if you have an administrator accounts,

22
00:00:51,760 --> 00:00:53,330
you cannot enable MFA-Delete.

23
00:00:53,330 --> 00:00:55,100
you'll have to use the root to accounts.

24
00:00:55,100 --> 00:00:57,850
And on top of it, because it's really not easy,

25
00:00:57,850 --> 00:01:01,350
you have to use MFA-Delete only using the CLI for now.

26
00:01:01,350 --> 00:01:03,080
So it's really, really hard to set up,

27
00:01:03,080 --> 00:01:04,319
but I'll show you how to do it.

28
00:01:04,319 --> 00:01:06,480
And for this, you need to use root credentials

29
00:01:06,480 --> 00:01:08,440
and there is no way of doing it in the console right now,

30
00:01:08,440 --> 00:01:10,660
it's only has to be done through the CLI.

31
00:01:10,660 --> 00:01:11,980
So let's go ahead and walk through this,

32
00:01:11,980 --> 00:01:14,300
but you don't have to do the hands-on with me.

33
00:01:14,300 --> 00:01:17,110
You can just watch me cause it's really clunky and painful,

34
00:01:17,110 --> 00:01:20,330
but the idea you understand is that only the buck,

35
00:01:20,330 --> 00:01:22,970
the root accounts can enable and disable the MFA-Delete,

36
00:01:22,970 --> 00:01:26,200
and that you'll need MFA only to permanently delete

37
00:01:26,200 --> 00:01:29,140
an object version or suspend versioning on the buckets.

38
00:01:29,140 --> 00:01:31,053
So let's get started with the hands on.