The rule detects the creation of AWS Identity and Access Management (IAM) users initiated through an assumed role on an EC2 instance. This behavior could indicate a compromised instance because adversaries may leverage assumed role permissions to create unauthorized IAM users as a means of establishing persistence. The detection is based on CloudTrail logs that indicate a successful creation of a user, specifically filtering for cases where the action was performed by an assumed role on an EC2 instance. Anomalies such as an unusual role or instance, lack of multi-factor authentication, and unexpected user-agent patterns can suggest illegitimate behavior. The rule highlights the need for a thorough investigation into the role and permissions involved, along with the analysis of related IAM actions that might indicate an escalation of privileges or further misuse.