Compliance

Enable MFA for root and IAM users

One capability across the root user, IAM console and programmatic users, and Cognito user pools: make a stolen password or key useless on its own by requiring a second factor everywhere an identity can sign in.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: Cognito.5 IAM.5 IAM.6 IAM.9 IAM.19

Enabling MFA: the basics

What does "require a second factor" actually mean across AWS identities?

Multi-factor authentication (MFA) is one capability with several shapes. The root user has its own MFA, registered while signed in as root. Every IAM user can carry a virtual TOTP app, a FIDO2 hardware key, or a hardware token. Amazon Cognito user pools enforce MFA for your end customers through an MfaConfiguration setting. Each is a different control on the report, but the underlying idea is identical: a password or access key, on its own, should not be enough to act.

AWS Security Hub turns each of these into its own control. IAM.9 checks MFA on the root user, IAM.6 is the stricter hardware-only version of the same, IAM.5 checks MFA on IAM users with a console password, IAM.19 broadens that to every IAM user including programmatic-only ones, and Cognito.5 checks that a user pool requires MFA rather than leaving it optional. They look like separate findings, but they are one capability: every identity that can authenticate should need a second factor.

The reason this matters more than its mixed severities suggest is that credential compromise is still the most common entry route into a cloud account. A leaked root password is a total, unrecoverable takeover. A leaked programmatic key is exactly as dangerous as a phished admin password and far more likely to sit unnoticed in a committed file. Optional Cognito MFA leaves the majority of customer accounts protected by a reused password alone. MFA closes all three doors at once.

In this lesson you will learn how AWS expresses MFA across the root user, IAM console and programmatic users, and Cognito user pools, why the programmatic and customer-facing identities are often the most dangerous to leave unprotected, and how to enable a second factor everywhere without locking anyone out. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The keys nobody logs in with are the ones that leak

Annual secrets-sprawl research consistently finds millions of credentials accidentally committed to public code repositories every year, and AWS access keys are among the most common and the fastest weaponised. Automated scanners crawl new public commits continuously; a leaked key with broad permissions can be live-mining cryptocurrency before the developer who pushed it has finished their coffee. The identities IAM.19 catches that the console-only check misses, programmatic users with no console password, are exactly the ones whose keys end up in those commits, because nobody treats an automation account as a human-facing security risk. The same pattern shows up on the customer side: optional Cognito MFA leaves the majority of accounts protected by a password reused from some other site that has already been breached.

Finding identities without a second factor

Priya is the security lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows MFA failures spread across the root user, a batch of IAM users, and a customer-facing Cognito pool in accounts that pre-date the team's current guardrails.

Rather than work the findings one by one, she starts by reading the account credential report, which lists every IAM user and whether MFA is active regardless of how they authenticate, so she can separate the high-risk identities from the rest before changing anything.

The credential report exposes mfa_active for every user, including programmatic-only ones the console-MFA check ignores. Filter to the users that fail IAM.19.

$ aws iam generate-credential-report && aws iam get-credential-report --query Content --output text | base64 -d | awk -F, 'NR==1 || $8=="false" {print $1","$4","$8","$10}'

user,password_enabled,mfa_active,access_key_1_active

ci-deployer,false,false,true

backup-runner,false,false,true

jess.intern,true,false,false

# Two programmatic-only users the console-MFA check never flags. IAM.19 catches them all.

Key-only automation users are the highest-risk MFA gap. Retire them for roles, or enrol them before flipping enforcement on.

How AWS evaluates MFAdeep dive

Root MFA (IAM.9) is read from the account summary flag AccountMFAEnabled via the Config rule root-account-mfa-enabled, which runs on a periodic schedule. It passes when any MFA device is enrolled, or when the root user has no sign-in credentials at all. IAM.6 is the stricter sibling: it passes only with a hardware device, so an account with a virtual authenticator on root passes IAM.9 but still fails IAM.6. Both must be done interactively while signed in as root; there is no IAM API that enrols MFA on root, by design.

The IAM user controls read the credential report. IAM.5 (mfa-enabled-for-iam-console-access) only evaluates users with a console password, while IAM.19 (iam-user-mfa-enabled) evaluates every IAM user with no further condition, which is why a programmatic-only user passes IAM.5 but fails IAM.19. AWS supports virtual TOTP, FIDO2 hardware keys, and hardware tokens; SMS MFA for IAM users was deprecated in 2019 because SIM-swap attacks make it materially weaker. FIDO2 is the strongest because the credential is bound to the sign-in domain and cannot be phished and replayed.

Cognito MFA (Cognito.5) is read from the user pool's MfaConfiguration. Only ON actually requires a second factor; OPTIONAL provides the illusion of MFA, since in practice only a small minority of users enrol voluntarily. Importantly, every one of these controls is a report of state, not an enforcement mechanism for IAM users: IAM.5 and IAM.19 tell you a user lacks a device, but enforcement comes from a conditional-deny policy keyed on aws:MultiFactorAuthPresent, or, more durably, from retiring the long-lived identity entirely.

What is the impact of leaving identities without MFA?

The direct impact is account takeover from a single leaked secret. For the root user the blast radius is unbounded and unrecoverable: no IAM policy can constrain root, so a password-only root user is one phished credential away from total control, uncapped fraudulent spend, and the ability to lock out every other administrator. For an IAM user the blast radius is whatever the user can do, and IAM users are disproportionately administrators or automation accounts with broad permissions.

The second-order impact is detection time. Key-only identities are rarely watched, so a breach through a leaked programmatic key often runs for days before anyone notices. On the customer side, credential-stuffing against a Cognito pool on OPTIONAL MFA is continuous and automated; a leaked password from any unrelated breach gets replayed against every login endpoint, and the majority of accounts that never enrolled have only that password protecting them.

On the compliance side, every modern framework, SOC 2, ISO 27001, PCI DSS and NIST 800-53, expects MFA on identities that can act on sensitive systems. A standing MFA failure during an audit is a clean, binary, evidence-backed negative finding that no process narrative can wave away, and it is hardest to argue away on exactly the identities that hold the broadest permissions.

How do you enable MFA everywhere safely?

Work the capability as one loop rather than chasing individual findings. The order matters: protect the irreplaceable root user first, then close the IAM gaps, then migrate customer-facing pools without locking users out.

1. Protect the root user first

Sign in as root and register an MFA device under Security Credentials. For production accounts prefer a hardware/FIDO key so you satisfy both IAM.9 and the stricter IAM.6 at once. Store the recovery codes separately, confirm the root email is a monitored distribution list, then stop using root for daily work. In AWS Organizations, consider centrally managing root so member accounts have no standing root credentials at all, which also makes IAM.9 pass by the no-credentials path.

2. Audit every IAM user, not just console ones

Generate the credential report and filter to mfa_active=false with no further condition, which is the IAM.19 set including the programmatic-only identities IAM.5 ignores. For each, record whether it has a console password, whether it has active access keys, and what permissions it holds. Human users get a device; service users get a decision about whether they should exist at all.

3. Enrol or retire, then enforce

Push FIDO2 hardware keys to humans with elevated permissions and give everyone a self-enrolment deadline. For programmatic users, the strongest fix is usually to retire the long-lived user for an IAM role the workload assumes, so the leakable secret disappears and the identity leaves the control's scope. Then attach a conditional-deny policy keyed on aws:MultiFactorAuthPresent so a user without MFA can enrol but otherwise cannot act.

4. Require MFA on Cognito pools

For customer-facing pools, run a short pre-enrolment campaign, then set MfaConfiguration to ON in a single set-user-pool-mfa-config call with TOTP primary and SMS as fallback. Enable Advanced Security Features for risk-based MFA so known-good devices skip the prompt. Back the whole capability with AWS Config rules and Service Control Policies so MFA cannot be quietly weakened later.

# Root MFA has no CLI equivalent: register it in the console while signed in as root
# (Security credentials > Multi-factor authentication > Assign MFA device).
# Then verify a device is bound to the root ARN and the summary flag flips to 1.
aws iam list-virtual-mfa-devices --assignment-status Assigned \
  --query 'VirtualMFADevices[?ends_with(SerialNumber, `:mfa/root-account-mfa-device`)].SerialNumber'
aws iam get-account-summary --query 'SummaryMap.AccountMFAEnabled'

# Enforce MFA on human IAM users with a conditional-deny policy keyed on the MFA flag.
aws iam attach-group-policy --group-name HumanUsers \
  --policy-arn arn:aws:iam::123456789012:policy/RequireMFAForUsers

# Require MFA pool-wide on a customer-facing Cognito pool.
aws cognito-idp set-user-pool-mfa-config --user-pool-id eu-west-1_aB3cD4eFg \
  --mfa-configuration ON --software-token-mfa-configuration Enabled=true

Quick quiz

Question 1 of 5

Security Hub shows MFA failures across the root user, a batch of IAM users, and a Cognito pool. What is the most efficient way to think about them?

Keep learning

Go deeper on how MFA works across the identities in this capability.

You can now treat MFA as one capability rather than a scatter of findings: protect the irreplaceable root user first with a hardware device, close the IAM gaps including the programmatic-only identities the console check misses, require MFA on customer-facing Cognito pools, and back the whole capability with conditional-deny policies and Service Control Policies so it cannot be weakened. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Enabling MFA: the cost and risk view

A near-zero-cost capability that removes the largest class of credential-compromise liability

MFA across AWS is almost free to enable. Registering a device on the root user costs nothing in AWS charges; enrolling IAM users costs at most a few pounds per hardware key. The only meaningful spend sits in Cognito, where the Advanced Security Feature that adds risk-based MFA is a usage-based charge per monthly active user. Against that, the downside of leaving any of these open is open-ended: a compromised root user can run up an uncapped bill, and a leaked key can drive a five- or six-figure crypto-mining event before anyone notices.

Treat each failing control as a line on the risk register rather than a compliance checkbox. Root MFA (IAM.9, IAM.6) is the highest-priority because it is the one credential nobody can lock out from inside the account. Programmatic-user MFA (IAM.19) catches the silent automation identities whose keys leak most often. Cognito MFA (Cognito.5) is where a credential-stuffing breach against your customers becomes a notification-and-fines event. Prioritise by what each identity can reach, not by the order the report lists it.

The insurance maths is one-sided. The remediation is a handful of device registrations plus a bounded Cognito migration. The downside of leaving it is the documented cost of a credential breach: regulatory fines, breach notification, forensics, and the runaway compute bill an attacker can generate on credentials you never locked behind a second factor.

This lesson is for the finance partner who sees a cluster of MFA findings on the security report and wants to know what the right response is and what it costs. It covers why most of these controls are free to fix, where the one real ongoing cost sits (Cognito risk-based MFA), and how to turn a list of red findings into a risk-ordered plan that puts the root user and the most-permissioned identities first.

Fun fact

The keys nobody logs in with are the ones that leak

How a finance partner frames the MFA findings

Priya brings the scatter of MFA findings to her finance partner before the SOC 2 prep meeting because she wants the spend and the risk ordering agreed before she touches anything. The partner's first reaction is that the cost barely registers: registering a device on root costs nothing in AWS charges, enrolling IAM users is at most a few pounds per hardware key, and the only ongoing line is the Cognito Advanced Security Feature for risk-based MFA, a usage-based charge per monthly active user. As remediation budgets go this is near zero. What the partner cares about instead is which failing identity carries the most exposure, because that is what decides the order of work.

So the framing the partner sets is a risk register, not a checklist. Root MFA (IAM.9 and the hardware-only IAM.6) goes first because a compromised root user can run an uncapped bill and lock out every administrator, and it is the one credential nobody can disable from inside the account. The programmatic-only users IAM.19 catches go next, since their keys are the ones that leak into committed code and sit unwatched for days. The Cognito pool on optional MFA is treated as a notification-and-fines exposure against the customer base. The partner's closing note is that for a fix this cheap against a tail risk this large, leaving any of it open is an uninsured liability, not a saving.

Why MFA belongs on the risk register

The cost model here is asymmetric in a way that is rare for security work. Enabling MFA on root and IAM users costs essentially nothing, and leaving it open creates an unbounded tail risk. The one real ongoing cost is the Cognito Advanced Security Feature for risk-based MFA, a usage-based charge per monthly active user, which is trivial next to the documented cost of a credential-based breach.

The documented cost of a credential compromise includes mandatory notification within tight regulatory windows, forensics and legal fees that routinely run into six and seven figures, customer churn, and, for compromised root or broad keys, a runaway compute bill from crypto-mining that AWS is not obliged to waive. Against that, the remediation is a handful of device registrations plus a bounded Cognito migration. The finance role is to attach expected loss to each failing identity, so the root user and the broadest keys are fixed first.

What finance can drive on MFA

Finance cannot register a device, but it sets the governance that keeps this capability at a clean state. Three levers, applied at onboarding and at the periodic review.

1. Make MFA a gate at account and pool creation

Verified root MFA should be a precondition for any new account being usable, and required MFA should be a standard line in the launch budget for any new Cognito pool. Closing the gap at creation is far cheaper than chasing remediations later.

2. Prioritise by what each identity can reach

Front-load the root user and the broadest IAM keys, and treat a customer-facing pool on optional MFA as a notification-and-fines exposure. A device on a read-only viewer is lower urgency than retiring an over-permissioned automation key.

3. Track it as an attested count, not a trend to monitor

Put a single line on the risk pack, every account root MFA on, every IAM user covered, every customer pool requiring MFA, and treat any regression as a control failure to remediate now, not a metric to watch drift.

Quick quiz

Question 1 of 5

What is the direct cost of enabling MFA across root and IAM users?

Keep learning

Go deeper on how MFA works across the identities in this capability.

You have finished the finance view of MFA. You know the direct cost is near zero, nothing for root, a few pounds per hardware key, and a usage-based charge only for Cognito risk-based MFA, while the exposure of leaving it open is an uncapped credential-breach loss of fines, notification and runaway compute. Next time the cluster appears, you will fund the fix as cheap insurance, order the work by what each identity can reach with root first, and report it as an attested count rather than a metric to watch drift.

Back to the library

Enabling MFA: the headline

Whether a single stolen password or key can act in the account

MFA is the single highest-leverage control in cloud identity. It is the difference between an account that survives a leaked credential and one that does not. The report shows it as a scatter of separate findings across the root user, IAM users and Cognito, but the leadership question behind all of them is one sentence: if a password or key leaks tomorrow, can it act on its own?

The defensible end state is that every identity that can sign in requires a second factor by policy, not by each user remembering to enrol. Root carries a hardware key locked away for break-glass use, IAM users either carry MFA or have been retired in favour of short-lived role credentials, and customer-facing Cognito pools require MFA rather than offering it.

Almost none of this is a cost decision. Enabling MFA is free or near-free in AWS terms. It is a governance decision about whether credential compromise is prevented by design or only by everyone behaving perfectly all the time.

A short read for the leader who needs to know what unprotected identities expose, why enabling MFA is a governance decision rather than a budget one, and what a defensible end state looks like across root, IAM and customer-facing identities.

Fun fact

The keys nobody logs in with are the ones that leak

What it looks like when a second factor is a standard, not a reminder

The MFA findings reached the executive review during SOC 2 preparation, after the security lead pointed out that the account still had a password-only root user and a customer pool where MFA was merely offered. The lesson leadership drew was not about any single identity. It was that credential compromise is the most common way into a cloud account, and that the business was relying on every user behaving perfectly rather than on a control that makes a stolen password useless on its own.

So the executive framing settled on two things. First, this is the rare class of control where the risk of inaction is severe and unbounded while the cost of action is essentially free for root and IAM and a small premium for Cognito, which is exactly the trade to approve fastest. Second, the end state is structural, not behavioural: root carries a hardware key locked away for break-glass use, standing IAM users either carry MFA or have been retired for short-lived role credentials, and customer pools require a second factor by policy. The question leadership keeps asking is whether a leaked password or key could act on its own tomorrow, and the only acceptable answer is no.

Why this is a board-level risk

Credential compromise is the most common entry route into a cloud account, and MFA is the control that makes a stolen password or key useless on its own. The root user is the extreme case: its compromise is unrecoverable, which is why AWS rates root MFA Critical. The programmatic and customer-facing identities are the quiet cases, where the gap sits unwatched until a leak turns it into an incident.

The cost of getting this wrong is large and well documented, while the cost of fixing it is essentially free for root and IAM and a small, bounded premium for Cognito. This is the rare class of control where the risk of inaction is severe and the cost of action is small, which is exactly the trade leadership should be quickest to approve, and exactly the standard that should be enforced by default rather than left to memory.

The leadership move on MFA

The handle is not to drive a metric down, it is to make unprotected identities structurally impossible and then verify it stays that way.

1. Require a second factor as a non-negotiable standard

No account is production-ready without root MFA, no standing identity holds power without a second factor, and customer pools require MFA by policy. For a free or near-free fix, exceptions are rarely justified and should be documented when they are.

2. Prefer no standing credential over a protected one

Short-lived role credentials beat long-lived keys with MFA bolted on. Move humans to IAM Identity Center and replace service-account keys with roles, so the identity that needed protecting no longer exists.

3. Ask for the count, not the detail

The one-minute question is whether MFA is enforced on every identity that can sign in, and whether the process guarantees it stays that way. A clean, attested answer is the only acceptable one for a control in this class.

Quick quiz

Question 1 of 5

What is the single leadership question that sits behind the whole cluster of MFA findings?

Keep learning

Go deeper on how MFA works across the identities in this capability.

Two takeaways: credential compromise is the most common way into a cloud account, and MFA is the control that makes a stolen password or key useless on its own. This is the rare trade where the risk of inaction is severe and the cost of action is essentially free, so it should be a non-negotiable default rather than a per-user reminder. The number to watch is not a dial trending down, it is whether every identity that can sign in requires a second factor and stays that way by construction.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Cognito

Cognito.5 Medium Cognito users can sign in without MFA

IAM

Part of the learning path Lock down access

Enable MFA for root and IAM users

Enabling MFA: the basics

The keys nobody logs in with are the ones that leak

Finding identities without a second factor

How AWS evaluates MFAdeep dive

What is the impact of leaving identities without MFA?

How do you enable MFA everywhere safely?

1. Protect the root user first

2. Audit every IAM user, not just console ones

3. Enrol or retire, then enforce

4. Require MFA on Cognito pools

Quick quiz

Keep learning

Enabling MFA: the cost and risk view

The keys nobody logs in with are the ones that leak

How a finance partner frames the MFA findings

Why MFA belongs on the risk register

What finance can drive on MFA

1. Make MFA a gate at account and pool creation

2. Prioritise by what each identity can reach

3. Track it as an attested count, not a trend to monitor

Quick quiz

Keep learning

Enabling MFA: the headline

The keys nobody logs in with are the ones that leak

What it looks like when a second factor is a standard, not a reminder

Why this is a board-level risk

The leadership move on MFA

1. Require a second factor as a non-negotiable standard

2. Prefer no standing credential over a protected one

3. Ask for the count, not the detail

Quick quiz

Keep learning

Controls this lesson covers

Cognito

IAM

Related compliance lessons