Detecting IAM Users Without MFA Using AWS Config, with Real-Time Admin Notifications via SNS

Introduction

Securing AWS accounts is crucial in today’s cloud-driven world. One of the simplest yet most overlooked risks is IAM users without Multi-Factor Authentication (MFA). Accounts without MFA are highly vulnerable to password leaks, phishing attacks, and unauthorized access.

In this article, I’ll show how to detect IAM users without MFA using AWS Config, validate the detection, and remediate the issue. This project can be completed in under an hour and is beginner-friendly, yet demonstrates an enterprise-grade security control.

Project Overview

The goal of this project is simple:

1. Enable AWS Config to continuously monitor IAM users.

2. Use the managed rule IAM_USER_MFA_ENABLED to flag users without MFA.

3. Test the rule by creating a user without MFA.

4. Remediate the issue by enabling MFA and verify compliance.

5. Notify Admin through emails for non compliance users

This setup gives you continuous visibility into your AWS account’s IAM security posture and can be extended to other compliance rules or automated remediation later.

Procedures

Step 1: Enable AWS Config

Open AWS Config in your AWS console.

Select All resources and Enable global resources (IAM is a global service).

Create a new S3 bucket for AWS Config logs and a service role.

Confirm setup.

recording on

Explanation: AWS Config records the configuration of your AWS resources and tracks changes over time. Enabling global resources ensures IAM users, roles, and policies are monitored across your account.

Step 2: Add the MFA Compliance Rule

Navigate to AWS Config → Rules → Add rule.

Select AWS managed rule: IAM_USER_MFA_ENABLED.

Save the rule with default settings.

Explanation: This rule evaluates whether each IAM user has MFA enabled.

✅ Users with MFA → COMPLIANT

❌ Users without MFA → NON_COMPLIANT

This automated check eliminates the need for manual auditing of IAM accounts.

Step 3: Test the Rule with a Non-Compliant User

Go to IAM → Users → Create User.

Create a user, e.g., test-user-no-mfa.

Enable AWS Management Console access but do NOT configure MFA.

Explanation: Creating a user without MFA simulates a real-world misconfiguration. AWS Config should detect this immediately after evaluation.

Test

Step 4: Observe Compliance Results

Go back to AWS Config → Rules → IAM_USER_MFA_ENABLED.

Wait a few minutes for evaluation.

You should see:

Status: ❌ NON_COMPLIANT

Details: User flagged (test-user-no-mfa)

Explanation: AWS Config evaluates resource changes automatically. This allows security teams to quickly identify risks without manual intervention.

Step 5: SNS notification

Step 3: Enable Config to Trigger Notifications

Use AWS Config Rules + SNS (Simplest)

• AWS Config can publish to SNS when a compliance evaluation occurs.

• Steps:

  1. Go to AWS Config → setting

  2. tick “Amazon SNS topic

  3. select “create a topic”

  4. Name the topic e.g ( mfa-noncompliance)

  5. Save

     

     

Step 6: Configure endpoint for the sns topic
1. Go to SNS Topic

2. Click on the sns topic you created

3. Click on create subscription

4. on protocol select “email”

5. For endpoint input the admin email

6. click on create subscription

   

   

   Notification received on Email

   

   Step 7: Remediate the Issue

Go to IAM → Users → test-user-no-mfa → Security credentials.

Click Assign MFA device.

Choose Virtual MFA (e.g., Google Authenticator).

Complete setup.

Explanation: Enabling MFA significantly reduces the risk of account compromise. Once enabled, AWS Config automatically re-evaluates the user.