To use mfa with CLI you can authenticate using MFA token.
This script first authenticate using profile from default credentials file (/home/username/.aws/credentials)
[my_aws_profile]
In this case I'm creating AWS IAM group that have list of policies.
In var.aws_policies_names I keep list of names of AWS managed policies where I allow to use several AWS services. If you want to add another AWS managed policy you need just add it to list in vars.
In policy.json I deny using important admin S3 buckets.