This detection rule is designed to identify when an AWS service assumes a specific IAM role via the AssumeRole API action. The rule focuses on CloudTrail logs where events of such type can be found. It filters for essential characteristics such as the event name 'AssumeRole', and ensures that the invocation is coming from a recognized service, like AWS Lambda, indicated by the user identity type being 'AWSService'. The log must reflect key parameters of the role, such as 'roleArn' and 'roleSessionName', to confirm that a legitimate IAM role assumption event has occurred. Due to its Info severity level, this rule is not intended to trigger alerts but rather to provide visibility into role assumption behavior within the AWS environment, helping security teams monitor service activities and ensuring compliance with least privilege practices. This detection is currently disabled and doesn't create alerts, making it primarily useful for auditing purposes.