This rule detects the creation of OpenID Connect (OIDC) Identity Providers in AWS IAM by uncommon users or roles, which could indicate adversarial activity. OIDC providers enable web identity federation, allowing users authenticated by external identity providers to assume IAM roles and access AWS resources. Unauthorized creation of an OIDC provider can lead to persistent access for adversaries who may gain administrative privileges and create rogue providers to assume roles using tokens they control. The detection targets the first occurrence of an OIDC provider being created by a specific user/role in an account, which should be validated against signed change management processes. Legitimate reasons for creating OIDC providers include CI/CD pipelines, Kubernetes service accounts, and infrastructure as code deployments. However, due to the potential for misuse, such actions warrant verification and investigation, especially if conducted by first-time users. The rule also outlines possible false positives and investigation steps to ensure authenticity, including examining relevant audit trails in CloudTrail, validating business justifications, and monitoring subsequent actions that may follow OIDC provider creation. An immediate containment plan is also recommended to remove unauthorized OIDC providers and associated trust relationships with IAM roles.