AWS CloudTrail logging bucket should use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.
Using AWS CLI
1. MFA Delete has to be enabled at the same time when you set the versioning state for your bucket. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket.
2. Use the MFA device enabled for your AWS root account and replace the highlighted details with your own details: the
--mfa parameter value should have the following format:
3. Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if versioning and MFA delete protection were enabled