AWS IAM OIDC Provider Created by Rare User

  1[metadata]
  2creation_date = "2026/02/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an uncommon user or role creates an OpenID Connect (OIDC) Identity Provider in AWS IAM. OIDC providers
 11enable web identity federation, allowing users authenticated by external identity providers (such as Google, GitHub, or
 12custom OIDC-compliant providers) to assume IAM roles and access AWS resources. Adversaries who have gained
 13administrative access may create rogue OIDC providers to establish persistent, federated access that survives credential
 14rotation. This technique allows attackers to assume roles using tokens from an IdP they control. While OIDC provider
 15creation is benign in some environments, it should still be validated against authorized infrastructure changes.
 16"""
 17false_positives = [
 18    """
 19    OIDC providers may be created during legitimate CI/CD integration (e.g., GitHub Actions, GitLab CI), Kubernetes
 20    service account federation, or other web identity use cases. Verify whether the user identity and timing align with
 21    approved change management processes. If this is expected administrative activity, it can be exempted from the rule.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM OIDC Provider Created by Rare User"
 29note = """## Triage and analysis
 30
 31### Investigating AWS IAM OIDC Provider Created by Rare User
 32
 33OpenID Connect (OIDC) providers in AWS IAM enable web identity federation, allowing external identity providers to authenticate users who then assume IAM roles. Common legitimate use cases include GitHub Actions accessing AWS resources, Kubernetes pods authenticating to AWS, and web applications using social login.
 34
 35This rule detects the first time a specific user or role creates an OIDC provider within an account. While OIDC provider creation is common in some environments, a new user creating one for the first time warrants validation to ensure it's authorized.
 36
 37### Possible investigation steps
 38
 39- **Identify the actor**
 40  - Review `aws.cloudtrail.user_identity.arn` to determine who created the OIDC provider.
 41  - Check if this user has created OIDC providers before in other accounts.
 42
 43- **Review the OIDC provider details**
 44  - Examine `aws.cloudtrail.request_parameters` for the provider URL and client IDs.
 45  - Identify the external IdP (e.g., GitHub, Google, custom provider).
 46
 47- **Validate business justification**
 48  - Confirm with DevOps or platform teams whether this aligns with CI/CD pipeline setup.
 49  - Check for related change tickets or infrastructure-as-code deployments.
 50
 51- **Check for follow-on activity**
 52  - Search for `CreateRole` or `UpdateAssumeRolePolicy` calls that trust the new OIDC provider.
 53  - Look for `AssumeRoleWithWebIdentity` calls using the newly created provider.
 54
 55- **Correlate with other suspicious activity**
 56  - Check for preceding privilege escalation or credential access events.
 57  - Look for other persistence mechanisms being established concurrently.
 58
 59### False positive analysis
 60
 61- **CI/CD pipeline integration**
 62  - GitHub Actions, GitLab CI, and other CI/CD systems commonly use OIDC for AWS authentication.
 63  - Validate against known DevOps workflows.
 64
 65- **Kubernetes federation**
 66  - EKS and self-managed Kubernetes clusters may use OIDC providers for pod identity.
 67  - Confirm with platform engineering teams.
 68
 69- **Infrastructure-as-code deployments**
 70  - Terraform, CloudFormation, or other IaC tools may create OIDC providers.
 71  - Verify via CI/CD logs.
 72
 73### Response and remediation
 74
 75- **Immediate containment**
 76  - If unauthorized, delete the OIDC provider using `DeleteOpenIDConnectProvider`.
 77  - Review and remove any IAM roles that trust the rogue provider.
 78
 79- **Investigation**
 80  - Audit CloudTrail for any `AssumeRoleWithWebIdentity` calls using this provider.
 81  - Review all IAM roles with web identity trust relationships.
 82
 83- **Hardening**
 84  - Restrict `iam:CreateOpenIDConnectProvider` permissions to authorized roles.
 85  - Implement SCPs to control OIDC provider creation in member accounts.
 86  - Enable AWS Config rules to monitor identity provider configurations.
 87
 88### Additional information
 89- **[AWS IAM OIDC Providers Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html)**
 90- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 91- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 92"""
 93references = [
 94    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html",
 95    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html",
 96    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
 97]
 98risk_score = 47
 99rule_id = "47403d72-3ee2-4752-a676-19dc8ff2b9d6"
100severity = "medium"
101tags = [
102    "Domain: Cloud",
103    "Data Source: AWS",
104    "Data Source: Amazon Web Services",
105    "Data Source: AWS IAM",
106    "Use Case: Identity and Access Audit",
107    "Tactic: Persistence",
108    "Resources: Investigation Guide",
109]
110timestamp_override = "event.ingested"
111type = "new_terms"
112
113query = '''
114event.dataset: "aws.cloudtrail"
115    and event.provider: "iam.amazonaws.com"
116    and event.action: "CreateOpenIDConnectProvider"
117    and event.outcome: "success"
118'''
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1078"
125name = "Valid Accounts"
126reference = "https://attack.mitre.org/techniques/T1078/"
127[[rule.threat.technique.subtechnique]]
128id = "T1078.004"
129name = "Cloud Accounts"
130reference = "https://attack.mitre.org/techniques/T1078/004/"
131
132
133
134[rule.threat.tactic]
135id = "TA0003"
136name = "Persistence"
137reference = "https://attack.mitre.org/tactics/TA0003/"
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1484"
142name = "Domain or Tenant Policy Modification"
143reference = "https://attack.mitre.org/techniques/T1484/"
144[[rule.threat.technique.subtechnique]]
145id = "T1484.002"
146name = "Trust Modification"
147reference = "https://attack.mitre.org/techniques/T1484/002/"
148
149
150
151[rule.threat.tactic]
152id = "TA0004"
153name = "Privilege Escalation"
154reference = "https://attack.mitre.org/tactics/TA0004/"
155
156[rule.investigation_fields]
157field_names = [
158    "@timestamp",
159    "user.name",
160    "user_agent.original",
161    "source.ip",
162    "aws.cloudtrail.user_identity.arn",
163    "aws.cloudtrail.user_identity.type",
164    "aws.cloudtrail.user_identity.access_key_id",
165    "event.action",
166    "event.outcome",
167    "cloud.account.id",
168    "cloud.region",
169    "aws.cloudtrail.request_parameters",
170    "aws.cloudtrail.response_elements",
171]
172
173[rule.new_terms]
174field = "new_terms_fields"
175value = ["cloud.account.id", "user.name"]
176[[rule.new_terms.history_window_start]]
177field = "history_window_start"
178value = "now-10d"