authorized changes to the aws account's identity provider

t1556
aws
sigma

Techniques

t1556

Sample rules

AWS Identity Center Identity Provider Change

source: sigma
technicques:
- t1556

Description

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Detection logic

condition: selection
selection:
  eventName:
  - AssociateDirectory
  - DisableExternalIdPConfigurationForDirectory
  - DisassociateDirectory
  - EnableExternalIdPConfigurationForDirectory
  eventSource:
  - sso-directory.amazonaws.com
  - sso.amazonaws.com