AWS IAM Identity Center SSO configuration updated

cloudtrail

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1556-modify-authentication-process

Goal

Detects when the configuration for the current SSO instance is modified. This rule monitors for changes to AWS SSO settings that could impact authentication and access control.

Strategy

This rule monitors AWS CloudTrail logs for UpdateSsoConfiguration events originating from AWS IAM Identity Center. AWS SSO configuration updates can include changes to identity provider settings, authentication methods, and access control policies that govern how users authenticate and access AWS resources.

Triage & Response

  1. Review the @userIdentity.arn to identify the user or role that made the configuration change.
  2. Check if the change was made during a scheduled maintenance window or by an authorized administrator.
  3. Verify if the configuration change aligns with documented change management procedures.
  4. Examine the specific parameters modified in the SSO configuration to determine the scope of changes.
PREVIEWING: emilia/INA-7367