CreateOpenIDConnectProvider
Event
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...