...
- MFA delete can be enabled only via the AWS CLI or SDK. It cannot be enabled via the AWS S3 web console.
- Since the root user in Cornell AWS accounts is generally not allowed to have AWS access keys configured, the root user must temporarily create access keys to use with the CLI/SDK.
- One might think that a work-around for the access keys requirement would be to use the AWS CloudShell, which automatically creates temporary access keys for CLI commands. However, those temporary access keys won't work for enabling MFA delete. The access keys must be standard access keys for the root user (but with such keys configured in CloudShell you can issue the CLI command from there).
Be sure that any root user access keys created for enabling MFA delete are deleted immediately after use.
...