AWS Sign-In Root Password Recovery Requested

Last updated a month ago on 2025-10-13

Created 5 years ago on 2020-07-02

About

Identifies a password recovery request for the AWS account root user. In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event. This alert indicates that someone initiated the root password reset workflow for this account. Verify whether this was an expected action and review identity provider notifications/email to confirm legitimacy.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Sign-InUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset:aws.cloudtrail and 
event.provider:signin.amazonaws.com and 
event.action:PasswordRecoveryRequested and 
event.outcome:success

Install detection rules in Elastic Security

Detect AWS Sign-In Root Password Recovery Requested in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).