I recently had to do a bulk S3 changes, and I ran into some unexpected challenges with MFA and object versioning. MFA is great for security is, by design, difficult to turn off if you are not the bucket owner, and will lock versioning being enabled if it is on. If the bucket does not have MFA enabled and has versioning on everything you try to change will create a marker to a version of the object, so it's not really changed. To get around this I had to disable MFA for the bucket, disable versioning, and set up a lifecycle policy that took 24+ hours to start running. If you are going to try bulk change objects in a bucket check your bucket settings, do test to make sure the policies work the way you expected, and use the policies, that seems to be the smoothest method I could find.
