Skip to content

PasswordRecoveryRequested

AWS

PasswordRecoveryRequested

service: AWS - SignIn
techniques:

Event

Records a request to recover or reset the AWS account root user password via the password reset process.

Security Context

  • Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.

Log Source

CloudTrail

Sample Event

Adversarial — initial access (suspicious). An anonymous request from 203.0.113.66 triggers the “Forgot password?” workflow against the production root account (555123456789). AWS only generates this event for the root user (federated/IAM users use a different recovery flow). It indicates someone has the account’s root email-form (or has guessed the account ID) and is attempting to seize the account. The SOC’s standing operating procedure is: contact the account owner immediately and verify; if not them, lock down. T1078.004.

{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "555123456789",
"arn": "arn:aws:iam::555123456789:root",
"accountId": "555123456789",
"accessKeyId": ""
},
"eventTime": "2026-04-15T23:11:08Z",
"eventSource": "signin.amazonaws.com",
"eventName": "PasswordRecoveryRequested",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"PasswordRecoveryRequested": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "90000000-0000-4000-8000-000101011100",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}

MITRE ATT&CK Mapping

Tactics: Initial Access Credential Access Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...