Answer: B
Option A is incorrect because the username and password are the first levels of authentication and the ask would be for an additional layer of authentication after the user credentials.
Option B is CORRECT because you can enable multi-factor authentication (MFA) for your AWS Managed Microsoft AD directory to increase security when your users specify their AD credentials to access Supported Amazon Enterprise Applications. When you enable MFA, your users enter their username and password (first factor) as usual. They must also enter an authentication code (the second factor) they obtain from your virtual or hardware MFA solution. These factors together provide additional security by preventing access to your Amazon Enterprise applications unless users supply valid user credentials and a valid MFA code.
Option C is incorrect because AWS access keys are used for programmatic access to AWS services via CLI or SDK. It cannot provide a second layer of authentication via Microsoft AD.Option D is incorrect because MFA needs to be enabled on the AD Directory and not on the AWS IAM service.
Reference:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_mfa.html