This detection rule monitors AWS CloudTrail logs for events related to IAM role policy modifications. It specifically tracks 'AttachRolePolicy' and 'PutRolePolicy' actions, which indicate when a new policy is attached to an IAM role or when an existing policy is replaced. By gathering relevant information such as user details, event timestamps, and associated metadata, this rule identifies potential policy manipulation which could be employed for privilege escalation or persistent access. The data is aggregated and results are enriched with DNS and geolocation information for deeper analysis, facilitating rapid identification of changes that could indicate malicious activity or policy abuse within AWS environments.