I have THALES TOTP hardware tokens (MFA) which I would like to use as and additional protection against the accidental S3 object deletion (https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html)
I know how to do that via AWS CLI and that it can be only enabled by the root of the account. But what I do not understand is who should be owner of the token devices? It cannot be root, because assigning it to the root automatically enables the token for AWS Console sign in plus there is maximum of 8 devices...
If the MFA is not assigned to any user I got this error: An error occurred (NotDeviceOwnerError) when calling the PutBucketVersioning operation: The device with serial number XXXXXXXXX that generated token 123456 is not owned by the authenticated user
The reason I required the token is that while using the WORM S3 buckets (i.e. Object versioning + Object Lock and Retention Mode) some users can still delete the files and even they are not really deleted, but use the delete marker, it is extremely confusing and some tools do not know how to work with versioning, so the files (objects) look deleted.
I do not see any other option how to solve that problem. On one side I want the users to have full S3 permissions, but there are buckets, which must be READ-ONLY....
I will be grateful for any advice.
Petr
