The Decoy IAM Assumed rule identifies suspicious access to decoy IAM roles in AWS environments. When an actor assumes a decoy IAM role, the rule generates a finding indicating possible unauthorized access. This role, provisioned specifically to monitor activity, generates alerts when accessed, serving as an indicator of anomalous behavior. This rule utilizes AWS API logs (AWS.SecurityFindingFormat) to detect when the 'AssumeRole' action is called, and if an actor (typically a user or service) accesses this decoy role, an alert is triggered if this is deemed unusual. Conversely, the rule confirms non-access attempts to the decoy role, thereby establishing a baseline of normal activities versus potentially malicious actions. It captures details like the AWS account ID, user actions, and geographic location of the actor, aiding in forensic analysis.