This detection rule identifies excessive AccessDenied events for IAM users in AWS, leveraging AWS CloudTrail logs to monitor for potential unauthorized access attempts. It specifically looks for multiple failed access attempts from the same user identity and IP address within a one-hour time frame. The significance of this activity indicates potential compromise of access keys, whereby malicious actors may be attempting unauthorized discovery actions. Such behavior may ultimately allow attackers to gather sensitive information about the AWS environment, potentially leading to further exploitation such as privilege escalation. The detection mechanism utilizes a count of failed attempts, distinct event methods, and sources to trigger alerts, ensuring that genuine unauthorized access tries are flagged while minimizing false positives by allowing for tuning in terms of source IP and user identity.