This rule is designed to monitor AWS IAM role assumptions to identify when a user has illegally assumed a role that has been explicitly blocklisted for manual user assumption. Blocklisting roles is a critical security measure aimed at preventing privilege escalation and unauthorized access within AWS environments. If a user is able to assume a blocklisted role, it indicates a serious breach of security policies and could lead to potential abuse of privileges. This rule specifically looks for log entries from AWS CloudTrail that capture the event of a user attempting to assume a role that is on the blocklist. The rule includes various tests to validate assumptions against both blocklisted and non-blocklisted IAM roles. The detection is categorized as high severity due to the risks associated with privilege escalation actions that can compromise the security posture of the AWS environment.