Skip to main content

Multiple AWS root password recovery requests

ID:aws_root_password_recovery_volume
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected a request for AWS root password recovery. The AWS root account has unrestricted access to all resources on an AWS account, making it a valuable target for threat actors. A root password recovery request may indicate an attempt to gain unauthorized access to the AWS environment.

Impact

An unrecognized AWS root password recovery request may indicate malicious activity. If root credentials are compromised, attackers can gain full control over cloud resources, allowing them to delete, modify, or steal data, disable security mechanisms, and escalate privileges.

Severity

SeverityCondition
Informational
AWS root password recovery request
Low
5 or more AWS root password recovery requests within an hour
Medium
AWS root password recovery request from an unexpected ASN

Investigation and Remediation

Verify if the password recovery request was authorized and review CloudTrail logs for any suspicious activity.

Known False Positives

  • Legitimate password recovery attempts by authorized users
  • Automated recovery triggers by security or monitoring tools