Multiple AWS root password recovery requests
ID:aws_root_password_recovery_volume
Data type:AWS CloudTrail
Severity:
Informational
- Medium
MITRE ATT&CK:TA0001:T1078.004
Description
AlphaSOC detected a request for AWS root password recovery. The AWS root account has unrestricted access to all resources on an AWS account, making it a valuable target for threat actors. A root password recovery request may indicate an attempt to gain unauthorized access to the AWS environment.
Impact
An unrecognized AWS root password recovery request may indicate malicious activity. If root credentials are compromised, attackers can gain full control over cloud resources, allowing them to delete, modify, or steal data, disable security mechanisms, and escalate privileges.
Severity
Severity | Condition |
---|---|
Informational | AWS root password recovery request |
Low | 5 or more AWS root password recovery requests within an hour |
Medium | AWS root password recovery request from an unexpected ASN |
Investigation and Remediation
Verify if the password recovery request was authorized and review CloudTrail logs for any suspicious activity.
Known False Positives
- Legitimate password recovery attempts by authorized users
- Automated recovery triggers by security or monitoring tools