This detection rule monitors for unauthorized alterations to AWS Identity and Access Management (IAM) role policies that permit internet access. The specific event of concern is the update of an IAM role's policy to include permissions allowing public access, which may suggest a potential backdoor approach by malicious actors. The rule leverages AWS CloudTrail logs to detect such modifications, particularly the UpdateAssumeRolePolicy action. Given that misconfigured IAM roles can lead to significant security vulnerabilities, detection of these changes is paramount. The rule's severity is classified as medium based on the potential impact on cloud security. It emphasizes the importance of assessing whether the changes were made by authorized users and evaluating the legitimacy of the policy updates. If any unauthorized actions are identified, reverting the policy and investigating the concerned users is recommended. This ensures continued integrity of AWS IAM configurations and protection against unauthorized access to AWS resources.