The AWS GetSigninToken rule is designed to monitor the use of the GetSigninToken API, which is pivotal for creating URLs that allow federated users access to the AWS Management Console without exposing their credentials. The rule aims to identify potential malicious activity where threat actors might exploit this API to gain unauthorized access to AWS resources. When the GetSigninToken is invoked, it typically indicates that the user is attempting to log into the AWS System through AWS SSO (Single Sign-On) or directly; any occurrences outside the expected parameters or user agents may require further scrutiny, especially when related to non-SSO configured roles that should not typically engage the API. This detection utilizes AWS CloudTrail logs to capture relevant events, identifies distinct characteristics of these calls, and aggregates data such as user agents, source IPs, and user actions. To minimize false positives, it is advisable to filter or allowlist known user agents. The rule employs specific techniques like alternate authentication material and remote services for lateral movement, characterized by the tactic IDs T1550.001 and T1021, respectively.