MFA for all console accounts is the only right answer. If machines require credentials to do specific task or perform API calls then roles should be used.
> If machines require credentials to do specific task or perform API calls then roles should be used.
Even then, if the data must be considered highly valuable/immutable, then versioning/delete protection should be enabled for the S3 bucket(s) in questions. This requires the MFA token to be in the API call for the delete to succeed.