To enhance security, a company wants to ensure that all IAM users are required to use MFA before accessing sensitive AWS services. How can this requirement be enforced?