This rule detects when an AWS IAM user's static API access key is uploaded to a public GitHub repository, which poses a significant security risk as it may lead to unauthorized access to AWS resources. The detection is primarily based on CloudTrail logs that capture API calls related to IAM and credential management. The rule uses a specific log event, 'PutUserPolicy', to check for signs of a compromised AWS Access Key. If detected, the rule triggers a high-severity alert due to the potential for malicious usage of the exposed credentials. The accompanying runbook provides remediation steps, including key revocation and user account assessment, to ensure the security of the AWS environment.