AWS Cognito - Enabling MFA | Error: MFA cannot be turned off if an SMS role is configured

Question

Im trying to enable MFA for an existing AWS Cognito user pool. Im editing the user-pool configuration, but trying to save the new configuration results in a MFA cannot be turned off if an SMS role is configured error (see picture). I don't understand that error message, and Google is no help.

Question: What am I do wrong, how can I enable MFA for an existing user pool?

weird, I guess that you already chose optional for MFA. In my case, it doesn't work in eu-central-1 but for eu-west-1 it's ok. — hungneox
And you probably also need to increase the your AWS monthly spending limit. — hungneox
The SNS spending limit is already increased, I don’t think that’s the problem. I solved the issue by exporting all users, creating a new user pool with MFA enabled and then importing the users. This solution would probably not be desirable if the system contained many users and high traffic. — Vingtoft

Mohamed Salem Lamiri Mohamed Salem Lamiri · Accepted Answer · 2018-08-20T09:20:46

Go to IAM and make sure you didn't accidently created an SMS role. Under the step :

You must provide a role to allow Amazon Cognito to send SMS messages

If you press Create Role then this will generate the error you mentioned. I guess in order to continue you need to properly configure your SMS.

To solve this issue I had to remove an SMS role (IAM) linked to my Users Pool.

So by removing the SMS role I was able to continue the creation of the new User Pool.

You can do that by signing to your console. Go to IAM on the left side under the dashboard go to Roles. Select from the list the SMS role associated to your User pool and delete it.

AWS Cognito - Enabling MFA | Error: MFA cannot be turned off if an SMS role is configured

3 Answers