This detection rule identifies suspicious behaviors associated with AWS Identity and Access Management (IAM) users utilizing temporary session tokens. The rule focuses on instances where a user's token is accessed from multiple IP addresses within a 30-minute window, raising concerns about potential credential theft. Temporary session tokens, typically starting with 'ASIA', are designed to be ephemeral and linked to a single user session. Thus, usage from diverse IPs may indicate that adversarial actors have compromised these tokens. The investigation process includes examining the identity of the IAM user, checking Multi-Factor Authentication (MFA) events, reviewing workload context for legitimacy, and analyzing related AWS actions to trace unauthorized movement. While false positives may arise in highly distributed environments due to automation tools that rotate through various IP addresses, it is crucial to confirm geolocation and context before taking action. In cases where the alert is validated, immediate responses include revoking the compromised token, auditing the AWS environment for further malicious activity, and reinforcing security measures like enforcing MFA on critical actions.