This rule detects potential exfiltration of EC2 instance credentials obtained via the Instance Metadata Service (IMDS) when they are used to make AWS API calls outside of expected internal AWS services (e.g., SSM). It relies on CloudTrail events showing an assumed-role session originating from an IMDS-provided credential (e.g., arn:aws:sts::123456789012:assumed-role/...). The rule flags activity where the source IP is external to the instance’s AWS environment or outside known VPC CIDRs, indicating possible credential compromise and lateral movement or privilege escalation. It maps to MITRE ATT&CK techniques for Valid Accounts (T1078.004) under the AWS/Cloud domain. The detection uses a low-threshold, 60-minute dedup window and requires at least one matching event. The Runbook instructs cross-referencing surrounding CloudTrail activity, validating IP context against VPC ranges, and correlating with other alerts over the past week to assess broader compromise. Reference guidance points to IAM/IMDS configuration and metadata access documentation. The provided test cases illustrate legitimate internal usage versus anomalous external usage patterns to validate detection logic.