A company has two AWS accounts: Account A and Account B.

To ensure that IAM users in Account B can only assume a role in Account A if they are authenticated with Multi-Factor Authentication (MFA), the recommended solution is to add anaws:MultiFactorAuthPresentcondition to the role's trust policy in Account A. The trust policy defines which principals (users, applications, services) can assume the role and under what conditions. By adding theaws:MultiFactorAuthPresentcondition, the policy explicitly requires MFA to be present for the assume role action to succeed. This ensures that only authenticated users with MFA can assume the role, enhancing the security posture with minimal operational overhead and without modifying permissions or session policies, which could affect the role's intended capabilities.