GUARDRAIL "[CIS - AWS] 2.1.2 Ensure MFA Delete is enabled on S3 buckets"
  WHEN aws_s3_bucket.versioning.enabled = true
    REQUIRE versioning.mfa_delete = true
  WHEN aws_s3_bucket_versioning.versioning_configuration.status IN ["Enabled", "Suspended"]
    REQUIRE versioning_configuration.mfa_delete = "Enabled"
  OVERRIDE WITH APPROVAL @security