List users with a login profile but no MFA device (the IAM credential report has both columns). Enrol each in a virtual or hardware MFA device, or migrate console access to federated SSO that enforces MFA centrally. Add an IAM policy that denies sensitive actions unless aws:MultiFactorAuthPresent is true, so MFA is enforced, not just available.

Compliance Medium severity

AWS Security Hub · IAM

IAM.5: Console users without MFA are one phish from compromise

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub IAM.5 check?

IAM.5 fails for any IAM user who has a console password (i.e. can sign in to the AWS Management Console) but does not have MFA enabled.

Why does IAM.5 matter?

Console users without MFA are the single most common entry point in real breaches: a phished or reused password is enough. MFA turns a stolen password into a non-event. The control specifically targets human, password-holding identities — exactly the ones attackers phish.

How do I fix IAM.5?

List users with a login profile but no MFA device (the IAM credential report has both columns).
Enrol each in a virtual or hardware MFA device, or migrate console access to federated SSO that enforces MFA centrally.
Add an IAM policy that denies sensitive actions unless aws:MultiFactorAuthPresent is true, so MFA is enforced, not just available.

Remediation script · bash

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable MFA for root and IAM users.

Is IAM.5 a false positive?

Service accounts with access keys but no console password do not trigger IAM.5 — it only looks at users who can actually sign in to the console.

Full lesson Enable MFA for root and IAM users Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for IAM controls ↗ Check your own account for IAM.5 →

Part of the learning path Lock down access

IAM.1 A policy grants full "*" administrative privileges
IAM.2 Policies attached directly to users do not scale or audit cleanly
IAM.3 Long-lived access keys have not been rotated
IAM.4 The root user still has long-lived access keys
IAM.6 The root user is not protected by hardware MFA
IAM.7 The IAM password policy is too weak
IAM.8 Unused IAM keys and passwords are waiting to be leaked
IAM.9 The root user can sign in without MFA
IAM.10 IAM user password policies should be strong (PCI DSS)
IAM.19 MFA should be enabled for all IAM users
IAM.21 Wildcard permissions grant far more access than intended
IAM.22 IAM credentials unused for 45 days should be removed