This detection rule targets suspicious queries made to the AWS Instance Metadata Service (IMDS), specifically when threat actors attempt to access sensitive AWS security credentials or instance identity documents through unauthorized means. It specifically monitors requests directed to the IMDS endpoint (169.254.169.254) that could indicate illicit attempts to exploit unsecured credentials. Founded on past incidents, such as the 2019 Capital One breach, this rule captures any successful HTTP GET request (indicated by a status code in the 200s) to paths that reveal sensitive information about IAM security credentials or instance identity documents. Given the potential exploitation of IMDS by attackers like the Kinsing group, it is critical to validate and potentially whitelist legitimate access to this metadata service within your network infrastructure.