Attach a policy to the S3 bucket to prompt for an MFA code during actions by the IAM user, and use IAM access keys with the AWS CLI to interact with Amazon S3.

Update the S3-access group's trust policy to require MFA for assuming the group, and use IAM access keys with the AWS CLI to interact with Amazon S3.

Attach a policy to the S3-access group to deny all S3 actions without MFA, and use IAM access keys with the AWS CLI to interact with Amazon S3.

Attach a policy to the S3-access group to deny all S3 actions without MFA, request temporary credentials from AWS STS, and use these credentials in a profile referenced by Amazon S3 during user actions.