This detection rule monitors AWS CloudTrail events, specifically looking for unauthenticated access attempts to Amazon S3 buckets from rare source IP addresses. Such access could indicate a misconfigured S3 bucket policy that allows public access, which poses a significant security risk by potentially exposing sensitive data to unauthorized users. The rule activates when a new, previously unobserved IP address makes requests using specified actions like 'GetObject' or 'ListBucket', effectively monitoring anomalous access patterns that may signal exploitation of weak permissions. In addition to identifying potential breaches, this rule's structured analysis helps security teams initiate proper investigations into the nature and scope of the access attempts, focusing on IP legitimacy, source behavior, and bucket configurations. Possible investigation steps include reviewing CloudTrail logs, examining S3 bucket policies, and assessing the impact of any exposed data. The rule facilitates a proactive security posture by generating alerts for rare IP accesses, aiding organizations in mitigating risks associated with misconfigured AWS resources.