This rule detects unusual console login activities executed by EC2 instances that assume roles via AWS STS, particularly those leading to successful login events, indicating possible credential compromise or lateral movement. The essence of the detection lies in identifying patterns specific to EC2 instance sessions, which use a distinctive naming convention starting with 'i-'. The rule focuses on events related to AWS SignIn where the action pertains to ConsoleLogin or GetSigninToken. The high-risk score reflects the potential for attackers to misuse this functionality for unauthorized access, warranting immediate investigation and response actions. The rule also emphasizes the need for context during analysis, outlining possible false positives due to legitimate actions by administrative scripts, monitoring tools, or scheduled jobs. The guide advises thorough checks against CloudTrail logs and the immediate revocation of compromised credentials to contain any potential breaches.