AWS IAM SAML Provider Creation for Persistence
Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM, potentially indicating an adversary establishing persistent, federated access to AWS accounts by forging SAML assertions from an IdP they control.
This detection identifies the creation of a new SAML Identity Provider (IdP) within Amazon Web Services Identity and Access Management (AWS IAM). SAML providers facilitate federated authentication between AWS and external identity providers. An attacker with administrative access could create a rogue SAML provider to maintain persistent access to AWS environments, bypassing normal credential rotation. This is achieved by forging SAML assertions, enabling the attacker to assume roles and access resources. The creation of SAML providers is typically a rare event, tied to initial SSO setup or significant infrastructure changes. This rule aims to detect anomalous instances of this event that deviate from established change management processes. Defenders should prioritize monitoring and validating these actions.
Attack Chain
- An adversary gains initial administrative access to an AWS account. This could be through compromised credentials or exploiting a misconfiguration.
- The attacker attempts to elevate privileges within the AWS environment to gain the necessary permissions to create IAM resources.
- The adversary creates a new, malicious SAML Identity Provider (IdP) within AWS IAM using the
CreateSAMLProviderAPI call. - The attacker uploads a crafted SAML metadata document to the newly created SAML provider, defining the trust relationship.
- The attacker creates or modifies IAM roles to trust the malicious SAML provider. This allows users authenticated via the attacker's IdP to assume these roles.
- The attacker forges SAML assertions using the attacker-controlled IdP, authenticating as a user who is authorized to assume a trusted role.
- The attacker uses the
AssumeRoleWithSAMLAPI call to assume the IAM role, gaining access to AWS resources. - The attacker maintains persistent access to the AWS environment, even if the original compromised credentials are rotated.
Impact
Successful exploitation allows attackers to establish persistent access within an AWS environment. The potential damage includes unauthorized access to sensitive data, resource manipulation, and service disruption. The number of affected victims is dependent on the scope of the initial compromise and the permissions granted to the roles assumed via the rogue SAML provider. Organizations utilizing federated authentication are particularly vulnerable.
Recommendation
- Deploy the Sigma rule
AWS IAM SAML Provider Createdto your SIEM and tune for your environment to detect the creation of new SAML providers (rule). - Restrict
iam:CreateSAMLProviderpermissions to a limited set of administrative roles to reduce the attack surface (content). - Monitor AWS CloudTrail logs for
CreateSAMLProviderevents, focusing on unexpected user identities or source IP addresses (rule). - Review existing IAM roles and trust policies for unauthorized trust relationships with external SAML providers (content).
- Implement AWS Config rules to continuously monitor identity provider configurations for deviations from approved baselines (content).
Detection coverage 3
AWS IAM SAML Provider Created
mediumDetects the creation of a new SAML Identity Provider (IdP) in AWS IAM.
AWS IAM AssumeRoleWithSAML Activity
lowDetects AssumeRoleWithSAML API calls, which may indicate use of a newly created or compromised SAML Provider
AWS IAM Role Trust Policy Modification Referencing SAML Provider
mediumDetects updates to IAM role trust policies that reference a SAML provider, potentially indicating malicious trust relationship establishment
Detection queries are available on the platform. Get full rules →