AWS IAM SAML Provider Created

  1[metadata]
  2creation_date = "2026/02/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM. SAML providers enable federated authentication
 11between AWS and external identity providers, allowing users to access AWS resources using credentials from the external
 12IdP. Adversaries who have gained administrative access may create rogue SAML providers to establish persistent,
 13federated access to AWS accounts that survives credential rotation. This technique allows attackers to assume roles and
 14access resources by forging SAML assertions from an IdP they control. Creating a SAML provider is a rare administrative
 15action that should be closely monitored and validated against authorized infrastructure changes.
 16"""
 17false_positives = [
 18    """
 19    SAML providers may be created during legitimate identity federation setup, SSO integration projects, or
 20    infrastructure-as-code deployments. Verify whether the user identity and timing align with approved change
 21    management processes. If this is expected administrative activity, it can be exempted from the rule.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM SAML Provider Created"
 29note = """## Triage and analysis
 30
 31### Investigating AWS IAM SAML Provider Created
 32
 33SAML (Security Assertion Markup Language) providers in AWS IAM enable federated authentication, allowing users from external identity providers to access AWS resources without separate AWS credentials. Creating a SAML provider establishes a trust relationship between AWS and the external IdP.
 34
 35This rule detects successful `CreateSAMLProvider` API calls. In most environments, SAML provider creation is extremely rare—typically only occurring during initial SSO setup or major infrastructure changes. An unauthorized SAML provider creation could enable an attacker to maintain persistent access by forging SAML assertions from an IdP they control.
 36
 37### Possible investigation steps
 38
 39- **Identify the actor**
 40  - Review `aws.cloudtrail.user_identity.arn` to determine who created the SAML provider.
 41  - Verify whether this principal is authorized to manage identity federation.
 42
 43- **Review the SAML provider details**
 44  - Examine `aws.cloudtrail.request_parameters` for the SAML provider name and metadata document.
 45  - Identify the external IdP URL and signing certificate in the metadata.
 46
 47- **Validate business justification**
 48  - Confirm with identity management or platform teams whether this aligns with planned SSO integration.
 49  - Check for related change tickets or infrastructure-as-code deployments.
 50
 51- **Check for follow-on activity**
 52  - Search for `CreateRole` or `UpdateAssumeRolePolicy` calls that reference the new SAML provider.
 53  - Look for `AssumeRoleWithSAML` calls using the newly created provider.
 54
 55- **Correlate with other suspicious activity**
 56  - Check for preceding privilege escalation or credential access events.
 57  - Look for other persistence mechanisms being established concurrently.
 58
 59### False positive analysis
 60
 61- **Planned SSO integration**
 62  - SAML providers are created during initial setup of identity federation with Okta, Azure AD, or other IdPs.
 63  - Validate against documented SSO integration projects.
 64
 65- **Infrastructure-as-code deployments**
 66  - Terraform, CloudFormation, or other IaC tools may create SAML providers as part of automated deployments.
 67  - Confirm via CI/CD logs.
 68
 69### Response and remediation
 70
 71- **Immediate containment**
 72  - If unauthorized, delete the SAML provider using `DeleteSAMLProvider`.
 73  - Review and remove any IAM roles that trust the rogue provider.
 74
 75- **Investigation**
 76  - Audit CloudTrail for any `AssumeRoleWithSAML` calls using this provider.
 77  - Review all IAM roles with SAML trust relationships.
 78
 79- **Hardening**
 80  - Restrict `iam:CreateSAMLProvider` permissions to a limited set of administrative roles.
 81  - Implement SCPs to control SAML provider creation in member accounts.
 82  - Enable AWS Config rules to monitor identity provider configurations.
 83
 84### Additional information
 85- **[AWS IAM SAML Providers Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)**
 86- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 87- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 88"""
 89references = [
 90    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateSAMLProvider.html",
 91    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html",
 92    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
 93]
 94risk_score = 47
 95rule_id = "a80ffc40-a256-475a-a86a-74361930cdb1"
 96severity = "medium"
 97tags = [
 98    "Domain: Cloud",
 99    "Data Source: AWS",
100    "Data Source: Amazon Web Services",
101    "Data Source: AWS IAM",
102    "Use Case: Identity and Access Audit",
103    "Tactic: Persistence",
104    "Resources: Investigation Guide",
105]
106timestamp_override = "event.ingested"
107type = "query"
108
109query = '''
110event.dataset: "aws.cloudtrail"
111    and event.provider: "iam.amazonaws.com"
112    and event.action: "CreateSAMLProvider"
113    and event.outcome: "success"
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1078"
121name = "Valid Accounts"
122reference = "https://attack.mitre.org/techniques/T1078/"
123[[rule.threat.technique.subtechnique]]
124id = "T1078.004"
125name = "Cloud Accounts"
126reference = "https://attack.mitre.org/techniques/T1078/004/"
127
128
129
130[rule.threat.tactic]
131id = "TA0003"
132name = "Persistence"
133reference = "https://attack.mitre.org/tactics/TA0003/"
134[[rule.threat]]
135framework = "MITRE ATT&CK"
136[[rule.threat.technique]]
137id = "T1484"
138name = "Domain or Tenant Policy Modification"
139reference = "https://attack.mitre.org/techniques/T1484/"
140[[rule.threat.technique.subtechnique]]
141id = "T1484.002"
142name = "Trust Modification"
143reference = "https://attack.mitre.org/techniques/T1484/002/"
144
145
146
147[rule.threat.tactic]
148id = "TA0004"
149name = "Privilege Escalation"
150reference = "https://attack.mitre.org/tactics/TA0004/"
151
152[rule.investigation_fields]
153field_names = [
154    "@timestamp",
155    "user.name",
156    "user_agent.original",
157    "source.ip",
158    "aws.cloudtrail.user_identity.arn",
159    "aws.cloudtrail.user_identity.type",
160    "aws.cloudtrail.user_identity.access_key_id",
161    "event.action",
162    "event.outcome",
163    "cloud.account.id",
164    "cloud.region",
165    "aws.cloudtrail.request_parameters",
166    "aws.cloudtrail.response_elements",
167]