This rule detects potentially malicious activity associated with the use of Instance Metadata Service (IMDS) credentials outside of expected AWS infrastructure interactions. Specifically, it monitors actions taken by EC2 instances that are using instance profiles to access AWS services, but not through the Systems Manager (SSM). A significant deviation from expected behavior could indicate that a compromised EC2 instance is executing unauthorized actions, possibly as a pivot point in a larger attack scenario. The rule utilizes AWS CloudTrail logs to identify events that originate from assumed roles, while filtering out actions typical to SSM operations and AWS internal traffic. This detection is crucial as it helps in identifying credential exfiltration or misuse by compromised instances.