CreateOpenIDConnectProvider
AWS
CreateOpenIDConnectProvider
Event
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
Log Source
CloudTrail
Sample Event
Adversarial. Draco registers an attacker-controlled OIDC IdP (https://draco-idp-666.example) as a trust anchor in the production account. After this, any role with a trust policy that allows the new OIDC provider can be assumed by tokens minted from the attacker’s IdP — giving Draco a federation-based persistence path that survives credential rotation. The provider is added with a single client ID and a synthetic 40-char thumbprint, mirroring AWS docs.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:58:02Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateOpenIDConnectProvider", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "url": "https://draco-idp-666.example", "clientIDList": [ "draco-attacker-app" ], "thumbprintList": [ "c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE" ] }, "responseElements": { "openIDConnectProviderArn": "arn:aws:iam::555123456789:oidc-provider/draco-idp-666.example" }, "requestID": "90000000-0000-4000-8000-000010010100", "eventID": "90000000-0000-4000-8000-000010010101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
- T1484.002 — Trust Modification — Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow a...