Synopsis
Use IAM policy that enforces multi-factor authentication (MFA) to restrict access to (almost) all AWS resources on the users whose MFA is not turned on.
Example
The complete policy can be found on AWS: Allows MFA-authenticated IAM users to manage their own credentials on the My Security Credentials page.
To let users that have not set up MFA change their password, I'd put "iam:ChangePassword"
in "DenyAllExceptListedIfNoMFA"
's "NotAction"
list: