Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · IAM

IAM.19: MFA should be enabled for all IAM users

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub IAM.19 check?

IAM.19 fails when any IAM user lacks an MFA device. Unlike the console-only IAM.5 check, IAM.19 covers every user — including programmatic-only identities that have access keys but no console password.

Why does IAM.19 matter?

The programmatic-only users IAM.19 surfaces are often the riskiest: forgotten automation accounts whose long-lived keys end up committed to public repos and weaponised within minutes. Requiring MFA across all users closes the gap IAM.5 misses and forces a hard look at every credential that can act in the account.

How do I fix IAM.19?

  1. Run a credential-report query to find every user without an MFA device.
  2. Enrol human users in MFA, or lock them out until they do.
  3. For service accounts that can't use MFA, retire the user entirely or replace its keys with a role — often deleting it is the right fix, not patching it.
  4. Enforce MFA with a conditional IAM policy and migrate humans onto IAM Identity Center to shrink the surface.

Remediation script · bash

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable MFA for root and IAM users.

Full lesson Enable MFA for root and IAM users Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for IAM controls ↗ Check your own account for IAM.19 →
Part of the learning path Lock down access

More IAM controls

  • IAM.1 A policy grants full "*" administrative privileges
  • IAM.2 Policies attached directly to users do not scale or audit cleanly
  • IAM.3 Long-lived access keys have not been rotated
  • IAM.4 The root user still has long-lived access keys
  • IAM.5 Console users without MFA are one phish from compromise
  • IAM.6 The root user is not protected by hardware MFA
  • IAM.7 The IAM password policy is too weak
  • IAM.8 Unused IAM keys and passwords are waiting to be leaked
  • IAM.9 The root user can sign in without MFA
  • IAM.10 IAM user password policies should be strong (PCI DSS)
  • IAM.21 Wildcard permissions grant far more access than intended
  • IAM.22 IAM credentials unused for 45 days should be removed