Unexpected AWS API calls indicating SAML activity
Description
AlphaSOC detected unexpected AWS API calls related to SAML (Security Assertion Markup Language) provider modifications, including create, update, and delete actions. SAML is used for federated authentication in AWS, allowing users to access AWS resources using their organization's identity provider. Modifications to SAML providers could indicate attempts to manipulate access controls, potentially leading to unauthorized access or privilege escalation within the AWS environment.
Impact
A threat actor could create, delete, or modify SAML providers to gain persistent access to AWS resources, bypass existing access controls, or create backdoors. This could lead to data breaches and resource misuse.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the legitimacy of the SAML provider changes by reviewing AWS CloudTrail logs to identify the user or role that performed the actions. Verify if these changes were authorized. If unauthorized, revert the changes, rotate any potentially compromised credentials, and conduct a thorough security assessment of the AWS environment.
Known False Positives
- Legitimate SAML provider updates during routine maintenance or configuration changes
- Routine rotation or updates of SAML certificates and metadata