saml providers may be created during legitimate identity federation setup, sso integration projects, or infrastructure-as-code deployments. verify whether the user identity and timing align with approved change management processes. if this is expected administrative activity, it can be exempted from the rule.

t1078
t1484
aws
elastic

Techniques

T1078
T1484

Sample rules

AWS IAM SAML Provider Created

source: elastic
technicques:
- T1078
- T1484

Description

Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM. SAML providers enable federated authentication between AWS and external identity providers, allowing users to access AWS resources using credentials from the external IdP. Adversaries who have gained administrative access may create rogue SAML providers to establish persistent, federated access to AWS accounts that survives credential rotation. This technique allows attackers to assume roles and access resources by forging SAML assertions from an IdP they control. Creating a SAML provider is a rare administrative action that should be closely monitored and validated against authorized infrastructure changes.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "CreateSAMLProvider"
    and event.outcome: "success"