This detection rule monitors changes made to the AWS Identity Center identity provider, formerly known as AWS Single Sign-On (SSO). Such changes can indicate potential security threats, including unauthorized access or privilege escalation through user impersonation. The detection focuses on specific event sources related to AWS SSO and the identity directory, and tracks events such as the association and disassociation of directories, as well as enabling and disabling external identity provider configurations. By capturing these events through AWS CloudTrail, the rule aims to identify any unauthorized or malicious modifications of identity provider settings, which could signify an attack seeking persistence or elevated privileges. Given the significant risks associated with identity provider changes, this rule operates at a high severity level. False positives include legitimate alterations made by authorized users to account configurations.