For a layer of security, when using the client you could do IAM role assumption in your local machine. You have your static creds and an MFA device, then use those to export temporary credentials to actually run the bless client. http://docs.aws.amazon.com/STS/latest/APIReference/API_Assum...