MFA for all console accounts is the only right answer. If machines require credentials to do specific task or perform API calls then roles should be used.
> If machines require credentials to do specific task or perform API calls then roles should be used.
Even then, if the data must be considered highly valuable/immutable, then versioning/delete protection should be enabled for the S3 bucket(s) in questions. This requires the MFA token to be in the API call for the delete to succeed.
Even then, if the data must be considered highly valuable/immutable, then versioning/delete protection should be enabled for the S3 bucket(s) in questions. This requires the MFA token to be in the API call for the delete to succeed.