ChangePassword
AWS
ChangePassword
Event
Allows an IAM user to change their own AWS Management Console login password.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
- Actions that disrupt cloud services can have cascading effects on dependent systems and business operations.
Log Source
CloudTrail
Sample Event
Draco — having earlier obtained draco user credentials — calls iam:ChangePassword on his own console password to lock the legitimate user out of console recovery and entrench the takeover (T1531). AWS strips password material from CloudTrail, so both requestParameters and responseElements are correctly null.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:21:07Z", "eventSource": "iam.amazonaws.com", "eventName": "ChangePassword", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": null, "responseElements": null, "requestID": "90000000-0000-4000-8000-000000000111", "eventID": "90000000-0000-4000-8000-000000001000", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Impact Credential Access
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....