This detection rule identifies the initial occurrence of a user identity making the `GetPasswordData` API call in AWS using an assumed role. This action retrieves the administrator password for an EC2 instance and could signify an attempt by an adversary to escalate privileges or traverse laterally within AWS environments. The rule is configured to trigger once for each unique instance of the ARN of the assumed role that has not performed this API action in the past week. It guides investigators to review CloudTrail logs for user identity and role, scrutinize request/response parameters, contextualize the action against known user behavior, and assess the criticality of the EC2 instance involved. The potential for lateral movement and the origin of the API call are also evaluated.