Cognito.5: Cognito users can sign in without MFA

What does AWS Security Hub Cognito.5 check?

Cognito.5 checks a user pool's MfaConfiguration and fails unless it is set to ON, meaning MFA is required for every sign-in. OFF disables MFA entirely and OPTIONAL leaves enrolment to each user — only ON actually closes the credential-leak path.

Why does Cognito.5 matter?

Credential-stuffing against consumer apps is continuous, automated, and cheap — a leaked password from any unrelated breach gets replayed against every Cognito login endpoint on the internet. With OPTIONAL MFA, the 85-95% of users who never enrol are protected by exactly one factor: a password they probably reused. PCI DSS 4.0 (effective March 2025) requires MFA for all access, not just admin access.

How do I fix Cognito.5?

1. Set MfaConfiguration to ON so every user must enrol and present a second factor.
2. Enable TOTP and/or SMS factors and verify the enrolment experience for existing users.
3. Roll the change with a forced-enrolment-on-next-login flow rather than locking users out.

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true