AWS IdP configuration changed
Description
AlphaSOC detected a change to an AWS IAM Identity Provider (IdP) configuration. AWS supports SAML 2.0 and OIDC federation, allowing external identity systems to authenticate users into AWS roles. Modifications to IdP configurations are sensitive operations: a threat actor with sufficient IAM privileges may update federation settings to redirect authentication through an attacker-controlled identity system, enabling persistent access under legitimate-looking credentials.
Impact
Unauthorized changes to AWS IdP configuration can allow an attacker to establish a persistent backdoor into the AWS environment by controlling the external identity provider that AWS trusts. This can bypass multi-factor authentication controls and allow the attacker to assume any role configured to trust the modified provider. Discovery of such changes may indicate an advanced persistent threat actor seeking long-term access.
Severity
| Severity | Condition |
|---|---|
Informational | AWS identity provider configuration changed |
Low | Unexpected AWS identity provider configuration change |
Investigation and Remediation
Review the CloudTrail event to determine which IdP was modified and what specific metadata or configuration was changed. Compare the current IdP metadata against a known-good baseline. If an unauthorized change is detected, immediately revert the IdP configuration, investigate the IAM principal that made the change, and rotate its credentials. Review all roles configured to trust the modified provider for unauthorized assume-role events.