How to disable MFA delete on your S3 bucket through AWS CLI?

Question

I understand how to enable MFA delete, however, I was wondering if you can disable it after you've enabled it? This is what I did to enable:

aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::xxxxxxxxxx:mfa/root-account-mfa-device xxxxx"

I tried this to disable:

aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Disabled,MFADelete=Disabled --mfa "arn:aws:iam::xxxxxxxx:mfa/root-account-mfa-device xxxx"

But I got the following error:

An error occurred (MalformedXML) when calling the PutBucketVersioning operation: The XML you provided was not well-formed or did not validate against our published schema

Answer 1

aws s3api put-bucket-versioning --bucket rajeevbuckettest001 --versioning-configuration MFADelete=Disabled,Status=Enabled --mfa "arn:aws:iam::420337427158:mfa/AUTHY 548818"

Answer 2

Frankly I've been stuck with the same issue, but when I gave precedence to {MFADelete} over versioning status it eventually worked fine.

aws s3api put-bucket-versioning --bucket bucket_name --versioning-configuration MFADelete=Disabled,Status=Enabled --mfa "{arn of root-mfa-device} {current 6 digit code from MFA device}" --profile profile_name

PS: I've looked up some posts and found that schema could change based on the call/action.

Answer 3

Based on what I have learned so far, the only way to disable 'MFA Delete' is by running the following on the AWS CLI:

aws s3api put-bucket-versioning --bucket {bucketname} --versioning-configuration "MFADelete=Disabled,Status=Suspended" --mfa "{arn of mfa-device} {current 6 digit code from MFA device}"

Also, user must own the MFA device represented by the {arn of mfa-device}.