Establish a new AWS account accessible only to the security team via an assumed role. Within this account, create an S3 bucket, enable S3 Versioning and S3 Object Lock, and set a default retention period of one year. Configure replication from the original S3 bucket to the new one and initiate an S3 Batch Replication job to transfer all existing data.

Implement the s3-bucket-versioning-enabled AWS Config managed rule. Set up an automated remediation action using an AWS Lambda function to enforce S3 Versioning and MFA Delete on non-compliant resources. Include an S3 Lifecycle rule to automatically delete objects after one year.

Prohibit bucket creation by all users and roles, except through an AWS Service Catalog launch constraint role. Create a Service Catalog product that mandates S3 Versioning and MFA Delete for bucket creation. Grant users permission to create buckets using this product as needed.

Activate Amazon GuardDuty with the S3 protection feature for the account and the relevant AWS Region. Implement an S3 Lifecycle rule to remove objects after one year.