AWS IAM OpenID Connect Provider Creation by Rare User
Adversaries with administrative access to an AWS account may create rogue OpenID Connect (OIDC) Identity Providers to establish persistent, federated access that bypasses credential rotation and allows them to assume IAM roles using tokens from an attacker-controlled Identity Provider.
This threat brief details the creation of OpenID Connect (OIDC) Identity Providers within AWS Identity and Access Management (IAM) by uncommon users or roles, a technique frequently abused by adversaries. OIDC providers are legitimately used to enable web identity federation, allowing users authenticated by external identity providers (like Google, GitHub, or custom OIDC-compliant services) to assume IAM roles and access AWS resources. However, if an attacker gains administrative access to an AWS environment, they can create a malicious OIDC provider to establish a highly persistent backdoor. This allows them to maintain federated access, often surviving credential rotation, by generating tokens from an Identity Provider (IdP) they control to assume trusted IAM roles. This activity, especially when performed by a user or role that has not previously created such providers, is a strong indicator of compromise or unauthorized access and requires immediate investigation.
Impact
Successful exploitation allows adversaries to establish a persistent and stealthy access mechanism to the compromised AWS environment. By controlling their own OIDC IdP, attackers can assume any IAM role configured to trust their rogue provider, gaining extensive access to AWS services, data, and resources. This could lead to unauthorized data exfiltration, modification or deletion of critical infrastructure, disruption of services, and further privilege escalation within the cloud environment. The nature of federated access makes detection and remediation challenging, as traditional credential rotations may not revoke the attacker's access. The persistence established can be difficult to eradicate, enabling long-term compromise and control over the victim's AWS infrastructure.
Recommendation
- Deploy the provided Sigma rule to detect
CreateOpenIDConnectProvideractions within your AWS environment, ensuring it's integrated with your SIEM and tuned for your specific baseline. - Implement least privilege principles by restricting
iam:CreateOpenIDConnectProviderpermissions to only authorized roles and users that explicitly require this capability. - Enable AWS Config rules to continuously monitor and report on changes to identity provider configurations, including the creation of new OIDC providers.
- For suspicious detections, review AWS CloudTrail logs, specifically
aws.cloudtrail.user_identity.arnto identify the actor andaws.cloudtrail.request_parametersto examine the OIDC provider's URL and client IDs. - Validate any OIDC provider creation against approved change management processes, especially for new or uncommon actors.
Detection coverage 1
AWS IAM OpenID Connect Provider Creation
highDetects the creation of an OpenID Connect (OIDC) Identity Provider in AWS IAM. While legitimate for web identity federation, adversaries may create rogue OIDC providers for persistent access after compromising administrative credentials. This rule provides the basis for detection; further tuning in your SIEM can incorporate 'rare user' logic.
Detection queries are available on the platform. Get full rules →