oidc providers may be created during legitimate ci/cd integration (e.g., github actions, gitlab ci), kubernetes service account federation, or other web identity use cases. verify whether the user identity and timing align with approved change management processes. if this is expected administrative activity, it can be exempted from the rule.

t1078
t1484
aws
elastic

Techniques

T1078
T1484

Sample rules

AWS IAM OIDC Provider Created by Rare User

source: elastic
technicques:
- T1078
- T1484

Description

Detects when an uncommon user or role creates an OpenID Connect (OIDC) Identity Provider in AWS IAM. OIDC providers enable web identity federation, allowing users authenticated by external identity providers (such as Google, GitHub, or custom OIDC-compliant providers) to assume IAM roles and access AWS resources. Adversaries who have gained administrative access may create rogue OIDC providers to establish persistent, federated access that survives credential rotation. This technique allows attackers to assume roles using tokens from an IdP they control. While OIDC provider creation is benign in some environments, it should still be validated against authorized infrastructure changes.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "CreateOpenIDConnectProvider"
    and event.outcome: "success"