Permissions
The Enforce MFA Is Enabled for AWS IAM Users policy pack requires 10 permissions:
iam:DeactivateMFADevice
iam:DeleteAccessKey
iam:DeleteLoginProfile
iam:DeleteUser
iam:DeleteUserPolicy
iam:DeleteVirtualMFADevice
iam:DetachUserPolicy
iam:ListAccessKeys
iam:ListMFADevices
iam:RemoveUserFromGroup