PasswordRecoveryRequested
AWS
PasswordRecoveryRequested
Event
Records a request to recover or reset the AWS account root user password via the password reset process.
Security Context
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
CloudTrail
Sample Event
Adversarial — initial access (suspicious). An anonymous request from 203.0.113.66 triggers the “Forgot password?” workflow against the production root account (555123456789). AWS only generates this event for the root user (federated/IAM users use a different recovery flow). It indicates someone has the account’s root email-form (or has guessed the account ID) and is attempting to seize the account. The SOC’s standing operating procedure is: contact the account owner immediately and verify; if not them, lock down. T1078.004.
{ "eventVersion": "1.08", "userIdentity": { "type": "Root", "principalId": "555123456789", "arn": "arn:aws:iam::555123456789:root", "accountId": "555123456789", "accessKeyId": "" }, "eventTime": "2026-04-15T23:11:08Z", "eventSource": "signin.amazonaws.com", "eventName": "PasswordRecoveryRequested", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": { "PasswordRecoveryRequested": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "90000000-0000-4000-8000-000101011100", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com" }}MITRE ATT&CK Mapping
Tactics: Initial Access Credential Access Stealth
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...