Skip to main content

Unexpected AWS API calls indicating SAML activity

ID:aws_saml_activity_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1484

Description

AlphaSOC detected unexpected AWS API calls related to SAML (Security Assertion Markup Language) provider modifications, including create, update, and delete actions. SAML is used for federated authentication in AWS, allowing users to access AWS resources using their organization's identity provider. Modifications to SAML providers could indicate attempts to manipulate access controls, potentially leading to unauthorized access or privilege escalation within the AWS environment.

Impact

A threat actor could create, delete, or modify SAML providers to gain persistent access to AWS resources, bypass existing access controls, or create backdoors. This could lead to data breaches and resource misuse.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the legitimacy of the SAML provider changes by reviewing AWS CloudTrail logs to identify the user or role that performed the actions. Verify if these changes were authorized. If unauthorized, revert the changes, rotate any potentially compromised credentials, and conduct a thorough security assessment of the AWS environment.

Known False Positives

  • Legitimate SAML provider updates during routine maintenance or configuration changes
  • Routine rotation or updates of SAML certificates and metadata