A company requires that all IAM users authenticate using MFA before assuming any cross-account roles. They have a central Identity account and multiple workload accounts. How can the Solutions Architect enforce this requirement globally across the Organization?

Create an SCP attached to the root OU that denies the sts:AssumeRole action if the aws:MultiFactorAuthPresent condition key is false.

Update the trust policy of every IAM role in the workload accounts to require MFA.

Enable the 'Require MFA for cross-account access' setting in AWS IAM Identity Center.

Use AWS Config to detect roles without MFA requirements and delete them.