Question: 1/50
A security engineer needs to ensure that all new IAM users in an AWS account must use MFA before they can call any AWS API. Existing automation uses access keys. Which solution best enforces this requirement with the least operational overhead?
Attach an IAM policy to each user that denies all actions unless aws:MultiFactorAuthPresent is true
Create an AWS Organizations SCP that denies all actions when aws:MultiFactorAuthPresent is false
Enable MFA Delete on all S3 buckets to force MFA usage for API calls
Use AWS WAF to block API calls that do not include an MFA token