The detection rule "AWS IAM Password Recovery Requested" is designed to identify unauthorized AWS access attempts via password recovery mechanisms. It leverages AWS CloudTrail logs to monitor password recovery events initiated through the AWS Identity and Access Management (IAM). Given that legitimate users may occasionally require password recovery, this rule focuses on specific indicators, such as the action "PasswordRecoveryRequested" and its outcome being successful. An adversary could exploit these requests to gain unauthorized access, hence timely detection and investigation are critical. The rule sits in a broader context of initial access tactics within the MITRE ATT&CK framework, specifically addressing technique T1078, which relates to the use of valid accounts. Various possible false positives from routine password resets by legitimate users are addressed, highlighting the necessity to verify user identity, user agents, and unusual request patterns. The rule enforces a risk score of 21, indicating a low severity while necessitating vigilance in monitoring AWS environments for possible account compromises. Detailed triage steps, false positive analyses, and response recommendations are included to facilitate effective management of alerts from this rule, ensuring organizations can take appropriate actions upon detection of suspicious activities.