diff --git a/rules/aws/initial_access_root_console_failure_brute_force.toml b/rules/aws/initial_access_root_console_failure_brute_force.toml
new file mode 100644
index 000000000..990c37103
--- /dev/null
+++ b/rules/aws/initial_access_root_console_failure_brute_force.toml
@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2020/07/21"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/09/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An
+adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services
+and resources for the AWS account.
+"""
+false_positives = [
+    """
+    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
+    positives.
+    """,
+]
+from = "now-20m"
+index = ["filebeat-*", "logs-aws*"]
+language = "kuery"
+license = "Elastic License"
+name = "AWS Management Console Brute Force of Root User Identity"
+note = "The AWS Filebeat module must be enabled to use this rule."
+references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"]
+risk_score = 73
+rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
+severity = "high"
+tags = ["AWS", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"]
+type = "threshold"
+
+query = '''
+event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.threshold]
+field = "cloud.account.id"
+value = 10