Enforce MFA for all administrative and privileged cloud access.

• Require MFA for the root/global admin account immediately
• Enforce MFA for console access for all human identities
• Consider hardware tokens for high-privileged roles
• Use condition keys in policies to mandate MFA for API access when assuming critical roles