Elastic Security Detection Rules

AWS IAM SAML Provider Created

Last updated 20 days ago on 2026-02-05
Created 20 days ago on 2026-02-05

About

Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM. SAML providers enable federated authentication between AWS and external identity providers, allowing users to access AWS resources using credentials from the external IdP. Adversaries who have gained administrative access may create rogue SAML providers to establish persistent, federated access to AWS accounts that survives credential rotation. This technique allows attackers to assume roles and access resources by forging SAML assertions from an IdP they control. Creating a SAML provider is a rare administrative action that should be closely monitored and validated against authorized infrastructure changes.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Identity and Access AuditTactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Domain or Tenant Policy Modification (T1484)(external, opens in a new tab or window)

False Positive Examples
SAML providers may be created during legitimate identity federation setup, SSO integration projects, or infrastructure-as-code deployments. Verify whether the user identity and timing align with approved change management processes. If this is expected administrative activity, it can be exempted from the rule.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "CreateSAMLProvider"
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS IAM SAML Provider Created in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).