Skip to content

CreateSAMLProvider

AWS

CreateSAMLProvider

service: AWS - IAM

Event

Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.

Security Context

  • Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.

Log Source

CloudTrail

Sample Event

Adversarial. Draco registers a new SAML 2.0 identity provider (DracoExternalIdP) in the production account using a SAML metadata document he generated against an attacker-controlled SimpleSAMLphp instance. Any role whose trust policy allows this SAML provider can subsequently be assumed via attacker-issued SAML assertions — a federation-trust persistence path that survives credential rotation.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-16T00:51:42Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateSAMLProvider",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "DracoExternalIdP",
"sAMLMetadataDocument": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements": {
"sAMLProviderArn": "arn:aws:iam::555123456789:saml-provider/DracoExternalIdP"
},
"requestID": "90000000-0000-4000-8000-000010011100",
"eventID": "90000000-0000-4000-8000-000010011101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Privilege Escalation

Techniques:
  • T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
  • T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
  • T1484.002 — Trust Modification — Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow a...