A company wants to enforce a policy that all IAM users must use Multi-Factor Authentication (MFA). If a user does not have MFA enabled, they should only be able to manage their own credentials and MFA device, and should be denied access to all other AWS services. <br/><br/>How can a solutions architect implement this requirement?

Use AWS Config to detect users without MFA and automatically delete their IAM accounts.

Create an IAM policy that uses the aws:MultiFactorAuthPresent condition key set to false to deny all actions except IAM credential management.

Enable the 'Require MFA' setting in the AWS IAM Account Settings console.

Create a Service Control Policy (SCP) that denies access to the AWS Management Console without MFA.