Detects when an IAM instance profile is associated with a running EC2 instance or when the existing association is replaced, which can change the credentials the instance uses via the instance metadata service without rebooting. Attacks can leverage AssociateIamInstanceProfile or ReplaceIamInstanceProfile to bind a more privileged role to a workload, enabling privilege escalation or lateral movement. The rule relies on CloudTrail data (aws.cloudtrail) where the API calls originate from ec2.amazonaws.com, with actions of AssociateIamInstanceProfile or ReplaceIamInstanceProfile, a successful outcome, and excludes calls made by AWS service principals or via SSM automation to reduce noise. Investigative fields include instanceId, the target IAM role/profile (ARN), user identity, source IP, and request/response details. Triage should map the affected EC2 instance to its owner, application, and data sensitivity, and check for indicators of compromise (e.g., IMDS SSRF, unusual AssumeRole activity from the instance role). False positives include legitimate remediation or automation that rebinding profiles; validation with the responsible service owners and any known automation roles is recommended. Remediation for unauthorized activity includes disassociating or restoring the correct profile, revoking PassRole or related EC2 permissions from the actor, and rotating credentials obtained from the over-privileged role. Additional references cover the AWS API actions themselves. MITRE ATT&CK mapping includes T1548 (Abuse Elevation of Privilege) with subtechnique T1548.005 (Temporary Elevated Cloud Access) and T1078 (Valid Accounts) with subtechnique T1078.004 (Cloud Accounts), under the Privilege Escalation tactic TA0004. This rule helps identify attempts to temporarily elevate cloud access by binding a privileged instance profile to a live instance without terminating or restarting it.