This detection rule identifies when a new SAML Identity Provider (IdP) is created in AWS IAM, a crucial security alert that involves the establishment of federated authentication between AWS and external identity providers. Adversaries who gain unauthorized administrative access could exploit this capability by creating rogue SAML providers, thereby fostering persistent access to AWS accounts, even after credential rotations. Such an action is relatively rare in standard operations and warrants close monitoring and validation against authorized changes to the infrastructure. The rule specifically parses successful API calls (CreateSAMLProvider) to detect anomalies related to SAML provider creation. The rule includes steps for triage and analysis that propose investigating the identity of the actor involved, reviewing the details of the created SAML provider, validating its business justification, analyzing follow-on activity such as role creation, and correlating with other suspicious activities. Additionally, false positives may arise from legitimate identity federation setups, SSO integration projects, or infrastructure deployments, which can be validated against change management processes and CI/CD logs. Measures outlined for response and remediation emphasize immediate containment, thorough investigation, and future hardening to restrict such actions to authorized personnel only. Resources for further reading and incident response are also linked for deeper understanding.