AWS IAM OIDC Provider Created by Rare User
An uncommon user or role creating an OpenID Connect (OIDC) Identity Provider in AWS IAM can indicate an attacker establishing persistent, federated access by creating rogue OIDC providers to assume roles using attacker-controlled IdP tokens.
This detection identifies when a previously unseen user or role creates an OpenID Connect (OIDC) Identity Provider within an AWS IAM environment. OIDC providers facilitate web identity federation, enabling external identity providers to authenticate users for assuming IAM roles. Threat actors, especially those with existing administrative access, may abuse this by creating unauthorized OIDC providers. This allows them to maintain persistent access, potentially bypassing credential rotations, by assuming roles using tokens from an IdP they control. While legitimate OIDC provider creation can occur, especially within CI/CD pipelines or Kubernetes environments, any unfamiliar user initiating this activity warrants immediate investigation. This rule focuses on the initial creation event as a key indicator of potential compromise.
Attack Chain
- Initial Access: The attacker gains initial access to the AWS environment, potentially through compromised credentials, or exploiting an existing vulnerability.
- Privilege Escalation: The attacker escalates privileges within the AWS environment to obtain the necessary permissions to create IAM resources, specifically OIDC providers. This might involve exploiting misconfigured IAM roles or policies.
- Discovery: The attacker uses AWS APIs (e.g.,
iam:ListRoles,iam:GetRole) to identify potential target roles to which they want to establish persistent access. - Credential Access: The attacker crafts a malicious OIDC provider configuration. This involves setting up a rogue identity provider controlled by the attacker.
- Persistence: The attacker creates a new IAM OIDC provider using the
CreateOpenIDConnectProviderAPI call, configuring it to trust the attacker-controlled identity provider. - Trust Modification: The attacker modifies the trust policy of existing IAM roles using
UpdateAssumeRolePolicyto allow principals authenticated via the rogue OIDC provider to assume those roles. - Defense Evasion: The attacker may attempt to obfuscate their activity by using unusual naming conventions or by creating the OIDC provider during off-peak hours.
- Impact: The attacker leverages their newly established federated access to assume roles and access sensitive AWS resources, potentially leading to data exfiltration, service disruption, or other malicious activities. They use
AssumeRoleWithWebIdentityto obtain temporary credentials.
Impact
Successful exploitation allows attackers to establish persistent access within the AWS environment, even after credential rotations. The impact can range from unauthorized access to sensitive data and resources, to complete compromise of the AWS environment. Creating rogue OIDC providers can enable attackers to bypass multi-factor authentication controls. The number of potential victims depends on the scope of the compromised AWS environment, potentially affecting organizations of any size that rely on AWS services.
Recommendation
- Deploy the Sigma rule "AWS IAM OIDC Provider Created by Rare User" to detect anomalous OIDC provider creation events (rule "AWS IAM OIDC Provider Created by Rare User"). Enable AWS CloudTrail logs for monitoring IAM events (log source: aws.cloudtrail).
- Restrict
iam:CreateOpenIDConnectProviderpermissions to authorized roles or users only. - Review and remove any IAM roles that trust the rogue provider if unauthorized OIDC provider is identified based on alert.
- Monitor AWS CloudTrail logs for
AssumeRoleWithWebIdentitycalls associated with newly created OIDC providers to detect potential abuse (log source: aws.cloudtrail). - Implement AWS Config rules to monitor identity provider configurations and detect unauthorized changes.
Detection coverage 2
AWS IAM OIDC Provider Created
mediumDetects the creation of an OpenID Connect (OIDC) Identity Provider in AWS IAM.
AWS IAM OIDC Provider Trust Policy Update
highDetects updates to IAM role trust policies to include the newly created OIDC provider.
Detection queries are available on the platform. Get full rules →