When working with S3 Versioning in Amazon S3 buckets, you can optionally add another layer of security by configuring a bucket to enable MFA (multi-factor authentication) delete. When you do this, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket. - from AWS documentation |
Beyond needing root credentials to enable MFA delete, there are additional requirements:
# Virtual MFA token aws s3api put-bucket-versioning \ --bucket BUCKET_NAME \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device MFA_CODE" # -OR- # Physical MFA token aws s3api put-bucket-versioning \ --bucket BUCKET_NAME \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "MFA_SERIAL_NUMBER MFA_CODE" |