Detects AWS IAM inline policy additions to groups via PutGroupPolicy. Inline policies are attached directly to an IAM group and apply to all current and future members, enabling broad permission grants. Attackers can abuse this for privilege escalation (granting elevated permissions to a group they belong to or will join) and to establish persistence through a durable, membership-based grant that is easy to overlook. Inline group policies are less common than managed-policy attachments, so a policy creation by an unexpected principal warrants review. The rule matches successful PutGroupPolicy events in CloudTrail, excluding known automation and service accounts, and encourages investigation of the actor, the targeted group, and the policy scope. This aligns with MITRE techniques Account Manipulation (T1098) and Additional Cloud Roles (T1098.003) under Privilege Escalation and Persistence.