This detection rule focuses on identifying unauthorized creation of IAM roles or policies within an AWS environment, which could signify attempts by threat actors to escalate privileges. Leveraging the AWS CloudTrail logs for analysis, the rule captures events related to the creation of roles and policies within the last two hours. By monitoring the `CreateRole` and `CreatePolicy` actions, security teams can detect potential misuse of IAM features that may lead to unauthorized access or privilege escalation. The implications of these actions highlight risks associated with account manipulation and the establishment of valid accounts that could be exploited for persistent threats or evasion of defenses in cloud environments. Key threat actor groups associated with these activities include GUI-vil and LUCR-3, emphasizing the necessity for vigilant monitoring of IAM changes in AWS, given their potential impact on cloud security.