Detects successful AWS S3 GetObject calls that retrieve high-value credential or secret files from S3 buckets. The rule watches CloudTrail data events for S3 GetObject and matches object keys against credential-like filenames and patterns (e.g., .aws/credentials, .aws/config, id_rsa, id_ed25519, id_ecdsa, id_dsa, .env, PEM/PPK, private_key, and ssh/authorized_keys). It excludes AWSService identity reads to avoid flagging internal AWS data movement. On a matching successful retrieval, it raises an alert with context including bucket name, object key, caller identity, and source IP to aid investigation. The rule maps to MITRE ATT&CK techniques T1552.001 (Credentials in Files) and T1530 (Data from Cloud Storage) under Credential Access and Collection. To enable detection, CloudTrail data events for S3 must be enabled for relevant buckets, since data-plane events are not logged by default. Investigations should verify authorization of the access, inspect bucket permissions, review subsequent IAM actions or console activity from the same identity, and rotate any potentially compromised credentials. The rule includes false-positive considerations related to legitimate automation (CI/CD, configuration management, or tooling) and supports alert suppression/grouping, with dedicated investigation fields to streamline response.