Loading

AWS IAM SAML Provider Created

Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM. SAML providers enable federated authentication between AWS and external identity providers, allowing users to access AWS resources using credentials from the external IdP. Adversaries who have gained administrative access may create rogue SAML providers to establish persistent, federated access to AWS accounts that survives credential rotation. This technique allows attackers to assume roles and access resources by forging SAML assertions from an IdP they control. Creating a SAML provider is a rare administrative action that should be closely monitored and validated against authorized infrastructure changes.

Rule type: query
Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS IAM
  • Use Case: Identity and Access Audit
  • Tactic: Persistence
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

SAML (Security Assertion Markup Language) providers in AWS IAM enable federated authentication, allowing users from external identity providers to access AWS resources without separate AWS credentials. Creating a SAML provider establishes a trust relationship between AWS and the external IdP.

This rule detects successful CreateSAMLProvider API calls. In most environments, SAML provider creation is extremely rare—typically only occurring during initial SSO setup or major infrastructure changes. An unauthorized SAML provider creation could enable an attacker to maintain persistent access by forging SAML assertions from an IdP they control.

  • Identify the actor

    • Review aws.cloudtrail.user_identity.arn to determine who created the SAML provider.
    • Verify whether this principal is authorized to manage identity federation.

  • Review the SAML provider details

    • Examine aws.cloudtrail.request_parameters for the SAML provider name and metadata document.
    • Identify the external IdP URL and signing certificate in the metadata.

  • Validate business justification

    • Confirm with identity management or platform teams whether this aligns with planned SSO integration.
    • Check for related change tickets or infrastructure-as-code deployments.

  • Check for follow-on activity

    • Search for CreateRole or UpdateAssumeRolePolicy calls that reference the new SAML provider.
    • Look for AssumeRoleWithSAML calls using the newly created provider.

  • Correlate with other suspicious activity

    • Check for preceding privilege escalation or credential access events.
    • Look for other persistence mechanisms being established concurrently.

  • Planned SSO integration

    • SAML providers are created during initial setup of identity federation with Okta, Azure AD, or other IdPs.
    • Validate against documented SSO integration projects.

  • Infrastructure-as-code deployments

    • Terraform, CloudFormation, or other IaC tools may create SAML providers as part of automated deployments.
    • Confirm via CI/CD logs.

  • Immediate containment

    • If unauthorized, delete the SAML provider using DeleteSAMLProvider.
    • Review and remove any IAM roles that trust the rogue provider.

  • Investigation

    • Audit CloudTrail for any AssumeRoleWithSAML calls using this provider.
    • Review all IAM roles with SAML trust relationships.

  • Hardening

    • Restrict iam:CreateSAMLProvider permissions to a limited set of administrative roles.
    • Implement SCPs to control SAML provider creation in member accounts.
    • Enable AWS Config rules to monitor identity provider configurations.
event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "CreateSAMLProvider"
    and event.outcome: "success"

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK