CreateSAMLProvider
AWS
CreateSAMLProvider
Event
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
Log Source
CloudTrail
Sample Event
Adversarial. Draco registers a new SAML 2.0 identity provider (DracoExternalIdP) in the production account using a SAML metadata document he generated against an attacker-controlled SimpleSAMLphp instance. Any role whose trust policy allows this SAML provider can subsequently be assumed via attacker-issued SAML assertions — a federation-trust persistence path that survives credential rotation.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-16T00:51:42Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateSAMLProvider", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "name": "DracoExternalIdP", "sAMLMetadataDocument": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "responseElements": { "sAMLProviderArn": "arn:aws:iam::555123456789:saml-provider/DracoExternalIdP" }, "requestID": "90000000-0000-4000-8000-000010011100", "eventID": "90000000-0000-4000-8000-000010011101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
- T1484.002 — Trust Modification — Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow a...