The rule titled "AWS IAM Enumeration" is designed to detect potential malicious activities targeting Amazon Elastic Container Services (ECS) by monitoring specific API calls in AWS CloudTrail logs. ECS is a vital service for hosting containerized applications on AWS. Adversaries may exploit task definitions, as they encapsulate configurations for running containers, containing significant information which could lead to further compromise of the environment. The detection rule monitors for the API events 'ListAttachedRolePolicies' and 'ListRolePolicies', which are indicative of an attacker trying to gather information about IAM roles and policies associated with ECS tasks. A successful enumeration can reveal sensitive roles that may contain permissions to modify or access ECS resources, thus paving the way for privilege escalation or lateral movement within the AWS infrastructure. The logic utilizes a time filter to analyze events that occurred within the last two hours, focusing on specific actions that relate to the enumeration of IAM roles. By correlating this activity with known threat actor behaviors linked to GUI-vil, organizations can enhance their AWS security posture against IAM enumeration attempts and respond proactively.