This detection rule monitors for suspicious queries made to the AWS Instance Metadata Service (IMDS) for security credentials, a tactic used by malicious actors in several high-profile breaches, including the Capital One data breach attributed to improper access of cloud security credentials. The IMDS provides critical information about an EC2 instance and includes security credentials that can be exploited if accessed by unauthorized users. The rule checks logs for connections to the specific endpoints of the IMDS, particularly those that request IAM security credentials or instance identity documents, looking for successful HTTP 200 responses. This helps to identify potential credential harvesting activities that could lead to further exploitation of cloud resources. Validation of legitimate access patterns and implementing allowlists for known services that require IMDS access is crucial to reducing false positives and ensuring responsiveness to genuine threats.