AWS SAML Identity Provider Modification
An adversary may attempt to modify the AWS SAML Identity Provider configuration to potentially escalate privileges or disrupt federated access.
This brief focuses on the potential modification of AWS SAML Identity Provider (IdP) configurations. While specific threat actors and campaigns are not detailed in the provided source, the action itself is a security concern. An attacker who gains sufficient privileges within an AWS environment might attempt to alter the SAML IdP settings to manipulate user access, potentially granting themselves elevated permissions or disrupting legitimate user authentication. This type of attack impacts cloud security by subverting federated identity management. Defenders should monitor for unexpected changes to SAML configurations.
Attack Chain
- Initial compromise of an AWS account with sufficient permissions to modify IAM resources (e.g., via compromised credentials or an EC2 instance with an overly permissive role).
- The attacker uses the AWS CLI or the AWS Management Console to list existing SAML Identity Providers.
- The attacker identifies the target SAML Identity Provider to modify.
- The attacker modifies the SAML metadata document associated with the Identity Provider, potentially injecting malicious claims or altering role mappings.
- The attacker updates the SAML Identity Provider configuration in AWS IAM with the modified metadata document using the
UpdateSAMLIdentityProviderAPI call. - The attacker tests the modified configuration to ensure it achieves the desired privilege escalation or access disruption.
- Legitimate users attempt to authenticate via SAML, potentially receiving incorrect roles/permissions or being denied access.
Impact
Successful modification of an AWS SAML Identity Provider can have significant consequences. An attacker could escalate their privileges within the AWS environment, gaining access to sensitive data and resources. They may also disrupt legitimate user access, leading to denial-of-service conditions for federated users. While the scale of impact depends on the scope of the compromised AWS account and the criticality of the federated applications, this attack can severely compromise cloud security.
Detection coverage 2
Detect AWS SAML Identity Provider Update via CloudTrail
mediumDetects modification of an AWS SAML Identity Provider configuration by monitoring CloudTrail logs for the `UpdateSAMLIdentityProvider` API call.
Detect IAM Role Assume with Unusual SAML Provider ARN
lowDetects an IAM role being assumed using a SAML provider ARN that deviates from expected norms, suggesting a potential misconfiguration or malicious update of the SAML provider.
Detection queries are available on the platform. Get full rules →