This analytic rule detects excessive AccessDenied events for IAM users within AWS, utilizing AWS CloudTrail logs. It identifies scenarios in which multiple access attempts fail from the same user identity and source IP address over a one-hour window. Such activity is critical as it may indicate a compromised access key leading to possible unauthorized discovery actions within the AWS environment. A spike in failures can expose the AWS setup to further exploitation attempts or privilege escalations. The detection relies on analyzing specific error messages related to IAM permissions, consolidating statistics on failed attempts, and promoting proactive investigation of potentially malicious user behavior.