IAM SAML providers enable federated role assumption via STS AssumeRoleWithSAML.
This evaluates whether such providers exist in the account.
Risk
Without SAML federation, users rely on long-lived IAM keys. Compromised keys enable persistent API access, causing data exfiltration (C), unauthorized resource or policy changes (I), and difficult revocation. Lack of IdP controls (e.g., MFA, session limits) weakens accountability and access governance.
prowler aws --checks iam_check_saml_providers_sts
Recommendation
Adopt SAML federation to issue short-lived STS credentials. Map users to roles with least privilege, enforce MFA at the IdP, and set conservative session durations. Retire IAM user access keys for interactive use and monitor role sessions as defense in depth. If federation isn't possible, tightly scope, rotate, and audit keys.
Remediation
aws iam create-saml-provider --name <SAML_PROVIDER_NAME> --saml-metadata-document file://<SAML_METADATA_XML_FILE>
- In the AWS console, go to IAM
- In the left menu, select Identity providers
- Click Add provider
- Set Provider type to SAML
- Upload the SAML metadata XML and enter a Provider name
- Click Add provider
Source Code
Resource Type
Other