This rule, authored by Elastic, focuses on detecting potential privilege escalation in AWS IAM by monitoring the use of the `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to a user account. When adversaries gain access to compromised credentials, they may use this operation to enhance their privileges within the AWS environment, posing a significant security risk. The rule is designed to capture successful occurrences of this API call and will trigger an alert if the policy being attached is `AdministratorAccess`, which confers unrestricted access to AWS services and resources. The query is structured to check logs from AWS CloudTrail, specifically filtering for events that show the attachment of `AdministratorAccess` to users. The effective monitoring of this activity is critical for identifying potential account manipulation, persistence tactics, and ensuring the integrity of user accounts in AWS.