AWS IAM OpenID Connect (OIDC) server certificate thumbprints updated
Description
AlphaSOC detected that AWS IAM OpenID Connect (OIDC) server certificate
thumbprints were updated using the UpdateOpenIDConnectProviderThumbprint
action. This action modifies the list of server certificate thumbprints
associated with an OpenID Connect identity provider. While this is often a
legitimate administrative action, threat actors can exploit this capability to
add malicious certificate thumbprints, potentially enabling them to impersonate
legitimate identity providers and gain unauthorized access to AWS resources
through federated authentication.
Impact
Unauthorized modification of OIDC provider thumbprints could allow adversaries to bypass authentication controls by adding their own certificate thumbprints. This may lead to unauthorized access to AWS resources, privilege escalation, data exfiltration, or lateral movement within the cloud environment.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs for the source IP, user agent, and identity that performed the action and verify whether the thumbprint update was authorized. If unauthorized, immediately remove the malicious thumbprints and restore the legitimate ones. Additionally, review and revoke any active sessions or temporary credentials associated with the affected OIDC provider, and conduct a comprehensive security audit of your AWS environment for other signs of compromise.