This detection rule identifies role chaining activities in AWS, specifically focusing on scenarios where one assumed role is used to assume another role through the AWS CLI or API. Role chaining can be exploited for privilege escalation, enabling adversaries to gain elevated access to AWS resources. While it is a legitimate feature of AWS for managing access, role chaining can pose security risks if the subsequent assumed role offers more privileges than intended. The detection criteria are designed to monitor actions within a single AWS account, in order to reduce the risk of false positives that might arise from typical cross-account behaviors. This rule examines specific API calls and user access patterns that indicate suspicious role chaining activity within AWS, and it outlines detailed steps for investigation and remedial measures to mitigate security incidents. The rule is categorized under multiple attack tactics, highlighting its relevance to privilege escalation, lateral movement, and persistence.