The detection rule is designed to identify Kubernetes accounts within AWS EKS (Elastic Kubernetes Service) that are accessing sensitive objects such as ConfigMaps or Secrets. It filters out requests that originate from local or non-threatening IP addresses (namely 127.0.0.1 and ::1) and specifically looks for activity involving cluster roles or cluster role bindings. The search queries AWS CloudWatch logs associated with EKS, filtering for specific Kubernetes API actions. The output provides valuable information, including the source IP addresses, usernames, associated user groups, namespaces, and the reason for the access as denoted by Kubernetes annotations. This rule aids security teams in monitoring potentially unauthorized access to sensitive resources, although sensitivity to normal operational needs is acknowledged as there may be legitimate reasons for such access events. The implementation requires the deployment of the Splunk AWS add-on and the Splunk App for AWS, allowing for effective querying and monitoring of these logs.