A security engineer is tasked with enhancing the security of AWS API operations by designing an IAM policy that requires multi-factor authentication (MFA) for IAM users to access specific services within the AWS production account. Additionally, the policy must ensure that each authenticated session remains valid for no more than 2 hours. Which two conditions should be included in the IAM policy to fulfill these security requirements?