AWS Identity Center Identity Provider Modification

AWS Identity Center (formerly AWS SSO) enables centralized management of access to AWS accounts and applications. Attackers can manipulate the configured identity provider to gain unauthorized access. The modification of the configured Identity Provider (IdP) within AWS Identity Center can lead to a full compromise of the AWS environment. By associating a malicious directory or disabling/disassociating legitimate directories, attackers can potentially establish persistent access, escalate privileges, and impersonate legitimate users. This can be achieved by utilizing compromised AWS credentials or exploiting vulnerabilities in the AWS environment.

Attack Chain

1. Initial access is gained via compromised AWS credentials or by exploiting an AWS vulnerability.
2. The attacker enumerates the current AWS Identity Center configuration to identify the currently associated directory.
3. The attacker disassociates the existing, legitimate directory using DisassociateDirectory.
4. The attacker associates a malicious directory they control using AssociateDirectory. This malicious directory is configured to impersonate legitimate users.
5. Alternatively, the attacker disables external IdP configuration for the directory using DisableExternalIdPConfigurationForDirectory.
6. The attacker enables external IdP configuration for the directory, pointing to an attacker-controlled IdP, using EnableExternalIdPConfigurationForDirectory.
7. The attacker uses the malicious or attacker-controlled IdP to authenticate as legitimate users, gaining access to AWS resources.
8. The attacker performs malicious actions within the AWS environment, such as data exfiltration or resource destruction.

Impact

Successful modification of the AWS Identity Center identity provider can lead to complete compromise of an AWS environment. Attackers can gain persistent access, escalate privileges, and impersonate legitimate users. This can result in data breaches, service disruption, financial loss, and reputational damage. The impact can extend to all AWS accounts and applications managed by the compromised Identity Center instance.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unauthorized changes to the AWS Identity Center identity provider.
• Investigate any detected events related to AssociateDirectory, DisableExternalIdPConfigurationForDirectory, DisassociateDirectory, or EnableExternalIdPConfigurationForDirectory in AWS CloudTrail logs.
• Implement multi-factor authentication (MFA) for all AWS accounts and users to reduce the risk of credential compromise.
• Review and restrict IAM permissions to minimize the blast radius of compromised credentials.
• Monitor AWS CloudTrail logs for unusual activity patterns that might indicate malicious directory association attempts.