Sign in Subscribe
Concepts

OpenID Connect CloudTrail Query Runbooks for AWS Security

Andrios Robert

1 min read

OpenID Connect (OIDC) CloudTrail Query Runbooks cut through that noise. They give you a precise set of steps to detect, investigate, and respond to suspicious OIDC activity inside AWS. Instead of chasing raw log streams, you run a targeted query, confirm what happened, and take action before it becomes a headline.

AWS CloudTrail records every call to the AssumeRoleWithWebIdentity API, token exchange, and identity provider configuration change. For OIDC, these events are critical. A malicious client ID, a sudden switch in identity provider URLs, or unexpected role assumptions all leave traces here. A well-crafted runbook turns that forensic data into operational defense.

An effective OIDC CloudTrail runbook starts with event filtering. Use eventSource = "sts.amazonaws.com" with eventName IN ("AssumeRoleWithWebIdentity") to isolate OIDC role assumptions. Tag queries to look for source IPs outside approved CIDR blocks, mismatched audience claims, or roles not assigned to the calling identity provider.

Next, flag identity provider modifications. Query for eventSource = "iam.amazonaws.com" and eventName IN ("CreateOpenIDConnectProvider", "UpdateOpenIDConnectProviderThumbprint", "DeleteOpenIDConnectProvider"). These indicate changes to trust boundaries. Correlate each change with who made it, from where, and at what time.

Because CloudTrail is often flooded with unrelated data, optimize queries by time range and specific role ARNs. Build saved Athena queries and parameterized variables for rapid re-use. Each runbook step should include the exact SQL or CloudTrail Lake query, the verification actions, and the escalation path.

Security teams that mature these runbooks integrate them into automated workflows. Detect the risky event via subscription filter, trigger the query, and push results into Ops tooling. Human review then runs with context already at hand. This reduces mean time to detect and respond, and increases confidence in OIDC-based federations.

Do not let OIDC operations become a blind spot. Structured CloudTrail queries in a documented runbook are the fastest path to visibility and action. Build them now and you won’t need to improvise later.

See how you can set up and run OIDC CloudTrail query runbooks live in minutes at hoop.dev.