MFA Delete adds an extra layer of security for critical S3 versioning operations by requiring a multi-factor authentication code.
MFA required for:
- Permanently deleting an object version.
- Suspending bucket versioning.
MFA not required for:
- Enabling versioning.
- Listing deleted versions.
Key points:
- Versioning must be enabled to use MFA Delete.
- Can be enabled/disabled only by the root account (bucket owner).