> If machines require credentials to do specific task or perform API calls then roles should be used.
Even then, if the data must be considered highly valuable/immutable, then versioning/delete protection should be enabled for the S3 bucket(s) in questions. This requires the MFA token to be in the API call for the delete to succeed.
