The rule AWS.IAM.AttachAdminRolePolicy detects instances where an IAM role's policy has been attached with Administrator Access, which poses a potential security risk if done without proper oversight. This detection is facilitated through logs generated from AWS CloudTrail, which document API calls. The rule's primary focus is on events related to the AttachRolePolicy method, specifically looking for attachments of policies with full administrative permissions (AdministratorAccess). The severity of this rule is classified as 'Info', indicating that while the event itself may not be an outright threat, it warrants attention for security best practices. A detailed examination of the context and justification for such privilege escalations is advised. In the case where an unexpected attachment occurs, the recommended response is to remove the Administrator Access policy from the IAM role to mitigate any undue security risk. The related CIS control is 1.1, and it is mapped to the MITRE ATT&CK technique TA0007:T1078 concerning valid accounts.