AWS IAM SAML Provider Updated

  1[metadata]
  2creation_date = "2021/09/22"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/05"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Detects when an AWS IAM SAML provider is updated, which manages federated authentication between AWS and external
 11identity providers (IdPs). Adversaries with administrative access may modify a SAML provider’s metadata or certificate
 12to redirect authentication flows, enable unauthorized federation, or escalate privileges through identity trust
 13manipulation. Because SAML providers underpin single sign-on (SSO) access for users and applications, unauthorized
 14modifications may allow persistent or covert access even after credentials are revoked. Monitoring  "UpdateSAMLProvider"
 15API activity is critical to detect potential compromise of federated trust relationships.
 16"""
 17false_positives = [
 18    """
 19    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or
 20    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be
 21    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM SAML Provider Updated"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating AWS IAM SAML Provider Updated
 35
 36AWS IAM SAML providers enable federated authentication between AWS and external identity providers (IdPs), 
 37allowing users from trusted domains to access AWS resources without separate credentials. 
 38Updating a SAML provider can modify the trust relationship — including the signing certificate or metadata document — 
 39and, if abused, may allow an attacker to redirect authentication flows or gain access through a malicious or compromised IdP.
 40
 41This rule detects successful `UpdateSAMLProvider` API calls that do not originate from AWS Single Sign-On (SSO), 
 42as normal SSO operations are filtered out. These changes can be significant because a single unauthorized update 
 43can affect all federated authentication in the account.
 44
 45### Possible investigation steps
 46
 47- **Validate the actor and context**
 48  - Review `aws.cloudtrail.user_identity.arn`, `user.name`, and `user_agent.original` to determine who performed the update.
 49  - Confirm if the actor is part of an authorized identity management or platform engineering group.
 50  - Review `source.ip` and `cloud.region` fields for unexpected geolocations, IP ranges, or service origins.
 51
 52- **Assess the scope of the modification**
 53  - Parse the `aws.cloudtrail.request_parameters` for updates to `SAMLMetadataDocument` or `Certificate` attributes.
 54  - Compare the new metadata with previous versions (available via AWS CLI or AWS Config) to detect unauthorized IdP URLs, 
 55    certificates, or assertion endpoints.
 56  - Identify whether the change replaced a valid trusted certificate with an unknown or self-signed one.
 57
 58- **Correlate related IAM and authentication events**
 59  - Look for preceding `CreateSAMLProvider` or `DeleteSAMLProvider` activity, as attackers may replace existing trust entities.
 60  - Search for follow-up logins (`AssumeRoleWithSAML`) or STS tokens issued shortly after the update — this could indicate 
 61    immediate exploitation of the new configuration.
 62  - Check for concurrent changes to IAM roles associated with SAML federated access.
 63
 64- **Confirm authorization**
 65  - Coordinate with your identity management team to confirm whether the SAML provider update aligns with 
 66    planned IdP maintenance or certificate rotation.
 67
 68### False positive analysis
 69
 70- **Planned SSO certificate rotation**
 71  - Most legitimate SAML provider updates occur during routine certificate renewals by authorized IdP admins. 
 72    Validate that the update timing aligns with planned identity provider operations.
 73- **Automated infrastructure processes**
 74  - CI/CD or configuration-as-code pipelines may automatically update SAML metadata as part of deployment. 
 75    Verify whether this activity matches known automation patterns.
 76- **Third-party IdP integrations**
 77  - Some integrated SaaS applications update SAML providers programmatically. Confirm the vendor and the originating credentials before closing as benign.
 78
 79### Response and remediation
 80
 81- **Immediate review and containment**
 82  - Retrieve the current SAML provider configuration using the AWS CLI (`aws iam get-saml-provider`) 
 83    and compare it with the previous known-good state.
 84  - If unauthorized changes are confirmed, restore the previous configuration or delete the compromised provider.
 85  - Temporarily disable federated login access for affected roles or accounts until validation is complete.
 86
 87- **Investigation and scoping**
 88  - Review CloudTrail logs for related IAM configuration changes, including `CreateRole`, `AttachRolePolicy`, or 
 89    `UpdateAssumeRolePolicy` events that may expand federated trust scope.
 90  - Identify any `AssumeRoleWithSAML` or `GetFederationToken` events following the update, indicating possible exploitation.
 91  - Cross-check logs from your external IdP to verify if unauthorized assertions or logins were attempted post-update.
 92
 93- **Recovery and hardening**
 94  - Limit permissions to modify SAML providers (`iam:UpdateSAMLProvider`) to a dedicated identity management role.
 95  - Enforce change control documentation and peer review for all federation configuration changes.
 96  - Enable AWS Config to monitor and record SAML provider resource configuration history.
 97
 98### Additional information
 99- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
100- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
101- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
102
103"""
104references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html"]
105risk_score = 47
106rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
107severity = "medium"
108tags = [
109    "Domain: Cloud",
110    "Data Source: AWS",
111    "Data Source: Amazon Web Services",
112    "Data Source: AWS IAM",
113    "Use Case: Identity and Access Audit",
114    "Tactic: Privilege Escalation",
115    "Resources: Investigation Guide",
116]
117timestamp_override = "event.ingested"
118type = "query"
119
120query = '''
121event.dataset: "aws.cloudtrail"
122    and event.provider: "iam.amazonaws.com"
123    and event.action: "UpdateSAMLProvider"
124    and event.outcome: "success"
125    and not (source.address: "sso.amazonaws.com" and user_agent.original: "sso.amazonaws.com")
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1484"
133name = "Domain or Tenant Policy Modification"
134reference = "https://attack.mitre.org/techniques/T1484/"
135[[rule.threat.technique.subtechnique]]
136id = "T1484.002"
137name = "Trust Modification"
138reference = "https://attack.mitre.org/techniques/T1484/002/"
139
140
141
142[rule.threat.tactic]
143id = "TA0004"
144name = "Privilege Escalation"
145reference = "https://attack.mitre.org/tactics/TA0004/"
146
147[rule.investigation_fields]
148field_names = [
149    "@timestamp",
150    "user.name",
151    "user_agent.original",
152    "source.ip",
153    "aws.cloudtrail.user_identity.arn",
154    "aws.cloudtrail.user_identity.type",
155    "aws.cloudtrail.user_identity.access_key_id",
156    "event.action",
157    "event.outcome",
158    "cloud.account.id",
159    "cloud.region",
160    "aws.cloudtrail.request_parameters",
161    "aws.cloudtrail.response_elements",
162]