This detection rule identifies potentially malicious activity involving AWS IAM API operations that utilize temporary security credentials (session tokens) starting with 'ASIA'. Such usage is atypical for legitimate user operations and may indicate credential theft or elevated access abuse due to compromised session tokens. The detection is based on querying AWS CloudTrail logs and focusing on actions performed by IAM users with the specific character string indicating temporary credentials. Investigative steps recommend reviewing user identity, source IP, the origin of the session token, and related API calls to validate authenticity. It also defines key potential false positives arising from legitimate CI/CD practices or administrative tasks involving session tokens. The rule falls under the Persistence tactic in the MITRE ATT&CK framework and is crucial for establishing a secure environment against unauthorized access and privilege escalation in AWS environments.