AWS IAM SAML Provider Updated

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS IAM SAML Provider Updated

Detects when an AWS IAM SAML provider is updated, which manages federated authentication between AWS and external identity providers (IdPs). Adversaries with administrative access may modify a SAML provider’s metadata or certificate to redirect authentication flows, enable unauthorized federation, or escalate privileges through identity trust manipulation. Because SAML providers underpin single sign-on (SSO) access for users and applications, unauthorized modifications may allow persistent or covert access even after credentials are revoked. Monitoring "UpdateSAMLProvider" API activity is critical to detect potential compromise of federated trust relationships.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS IAM
Use Case: Identity and Access Audit
Tactic: Privilege Escalation
Resources: Investigation Guide

Version: 211

Rule authors:

Elastic
Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS IAM SAML Provider Updated

AWS IAM SAML providers enable federated authentication between AWS and external identity providers (IdPs), allowing users from trusted domains to access AWS resources without separate credentials. Updating a SAML provider can modify the trust relationship — including the signing certificate or metadata document — and, if abused, may allow an attacker to redirect authentication flows or gain access through a malicious or compromised IdP.

This rule detects successful UpdateSAMLProvider API calls that do not originate from AWS Single Sign-On (SSO), as normal SSO operations are filtered out. These changes can be significant because a single unauthorized update can affect all federated authentication in the account.

Possible investigation steps

Validate the actor and context
Review aws.cloudtrail.user_identity.arn, user.name, and user_agent.original to determine who performed the update.
Confirm if the actor is part of an authorized identity management or platform engineering group.
Review source.ip and cloud.region fields for unexpected geolocations, IP ranges, or service origins.
Assess the scope of the modification
Parse the aws.cloudtrail.request_parameters for updates to SAMLMetadataDocument or Certificate attributes.
Compare the new metadata with previous versions (available via AWS CLI or AWS Config) to detect unauthorized IdP URLs, certificates, or assertion endpoints.
Identify whether the change replaced a valid trusted certificate with an unknown or self-signed one.
Correlate related IAM and authentication events
Look for preceding CreateSAMLProvider or DeleteSAMLProvider activity, as attackers may replace existing trust entities.
Search for follow-up logins (AssumeRoleWithSAML) or STS tokens issued shortly after the update — this could indicate immediate exploitation of the new configuration.
Check for concurrent changes to IAM roles associated with SAML federated access.
Confirm authorization
Coordinate with your identity management team to confirm whether the SAML provider update aligns with planned IdP maintenance or certificate rotation.

False positive analysis

Planned SSO certificate rotation
Most legitimate SAML provider updates occur during routine certificate renewals by authorized IdP admins. Validate that the update timing aligns with planned identity provider operations.
Automated infrastructure processes
CI/CD or configuration-as-code pipelines may automatically update SAML metadata as part of deployment. Verify whether this activity matches known automation patterns.
Third-party IdP integrations
Some integrated SaaS applications update SAML providers programmatically. Confirm the vendor and the originating credentials before closing as benign.

Response and remediation

Immediate review and containment
Retrieve the current SAML provider configuration using the AWS CLI (aws iam get-saml-provider) and compare it with the previous known-good state.
If unauthorized changes are confirmed, restore the previous configuration or delete the compromised provider.
Temporarily disable federated login access for affected roles or accounts until validation is complete.
Investigation and scoping
Review CloudTrail logs for related IAM configuration changes, including CreateRole, AttachRolePolicy, or UpdateAssumeRolePolicy events that may expand federated trust scope.
Identify any AssumeRoleWithSAML or GetFederationToken events following the update, indicating possible exploitation.
Cross-check logs from your external IdP to verify if unauthorized assertions or logins were attempted post-update.
Recovery and hardening
Limit permissions to modify SAML providers (iam:UpdateSAMLProvider) to a dedicated identity management role.
Enforce change control documentation and peer review for all federation configuration changes.
Enable AWS Config to monitor and record SAML provider resource configuration history.

Additional information

AWS IR Playbooks
AWS Customer Playbook Framework
Security Best Practices: AWS Knowledge Center – Security Best Practices.

Rule query

edit

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "UpdateSAMLProvider"
    and event.outcome: "success"
    and not (source.address: "sso.amazonaws.com" and user_agent.original: "sso.amazonaws.com")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Domain or Tenant Policy Modification
- ID: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
Sub-technique:
- Name: Trust Modification
- ID: T1484.002
- Reference URL: https://attack.mitre.org/techniques/T1484/002/

« Deprecated - AWS RDS Instance Creation Azure Diagnostic Settings Deletion »