When receiving an unprompted 2FA code, the account holder should assume their credentials were stolen and log directly into Amazon, without clicking on any links in text messages or emails, to change their password.
It is also important to not think that since 2FA protected your account you no longer need to change your password. This is a false sense of security, as threat actors have figured out ways to bypass MFA in the past
so there is no reason to give them the opportunity to do so with your account.
(for any account not just Amazon don't be led by a false sense of security)
Furthermore, while SMS and email 2FA provide extra protection to your accounts, they are the most risky MFA method to use. This is because if someone gains access to your email or phone number, such as through a SIM swapping attack, they'll also have access to your OTP codes.