Detects creation of an AWS CloudShell environment via the AWS CloudTrail CreateEnvironment event (provider cloudshell.amazonaws.com) where event.action is CreateEnvironment and event.outcome is success. The rule targets logs from filebeat-* and logs-aws.cloudtrail-* indices to identify when CloudShell is created for the first time or in a new region, which can indicate console session access by an attacker without local credentials. While CloudShell enables convenient admin access, adversaries with compromised console sessions can abuse it to run commands or interact with AWS resources. The detection helps surface unauthorized CloudShell usage and supports timely containment.