AWS Identity Center Identity Provider Change

calendar Oct 23, 2025 · attack.persistence attack.credential-access attack.defense-evasion attack.t1556  ·
Share on: linkedin copy

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Sigma rule (View on GitHub)

 1title: AWS Identity Center Identity Provider Change
 2id: d3adb3ef-b7e7-4003-9092-1924c797db35
 3status: test
 4description: |
 5    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
 6    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.    
 7references:
 8    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
 9    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
10    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
11author: Michael McIntyre @wtfender
12date: 2023-09-27
13tags:
14    - attack.persistence
15    - attack.credential-access
16    - attack.defense-evasion
17    - attack.t1556
18logsource:
19    product: aws
20    service: cloudtrail
21detection:
22    selection:
23        eventSource:
24            - 'sso-directory.amazonaws.com'
25            - 'sso.amazonaws.com'
26        eventName:
27            - 'AssociateDirectory'
28            - 'DisableExternalIdPConfigurationForDirectory'
29            - 'DisassociateDirectory'
30            - 'EnableExternalIdPConfigurationForDirectory'
31    condition: selection
32falsepositives:
33    - Authorized changes to the AWS account's identity provider
34level: high

References

Related rules

to-top