Detections focus on IAM changes performed by AWS Lambda execution roles when the caller is an assumed role session tied to a Lambda function. The rule flags successful IAM control-plane operations that could enable privilege escalation or persistence, including creating users or roles, attaching or putting policies, or wiring roles to instance profiles (e.g., CreateUser, CreateRole, CreateInstanceProfile, AddUserToGroup, AttachUserPolicy, PutUserPolicy, PutRolePolicy, AddRoleToInstanceProfile, CreateAccessKey). The telemetry relies on CloudTrail data (aws.cloudtrail) where aws.cloudtrail.user_identity.type is AssumedRole and the session issuer is Lambda (aws.cloudtrail.user_identity.invoked_by: lambda.amazonaws.com) or where user_agent.original indicates AWS_Lambda. By correlating the specific action with the Lambda invocation and the assumed-role context, the rule aims to detect abuse that could facilitate lateral movement, credential theft, or persistence from compromised serverless code. The rule’s scope acknowledges legitimate automation (IaC pipelines or onboarding Lambdas) and recommends tuning on execution role ARNs or known tags to reduce false positives. Investigators should map the function name and deployment path to the corresponding Lambda, inspect request_parameters (userName, groupName, roleName, policyArn, instanceProfileName), and compare sources like source.ip and user_agent.original to expected Lambda patterns. Look for follow-on activity such as new credentials or further assume-role actions (sts:AssumeRole) to assess impact. Remediation steps include revoking or rotating credentials, detaching or removing unintended policies, removing rogue users/roles/instance profiles, and reviewing permission boundaries on the involved roles. This rule is associated with high-risk IAM-sensitive operations via Lambda execution roles and is aligned with privilege escalation and persistence techniques in MITRE ATT&CK (cloud account, create account, and account manipulation).