This rule detects unusual or unauthorized attachment of customer-managed IAM policies to roles in AWS, potentially indicating privilege escalation attempts. It utilizes AWS CloudTrail logs to monitor `AttachRolePolicy` actions, specifically looking for events where the policy is attached by less frequently seen users. The rule checks if the combination of the user ARN (`aws.cloudtrail.user_identity.arn`) and role name (`aws.cloudtrail.flattened.request_parameters.roleName`) hasn’t been observed in the past 14 days. If such an event occurs, it raises a possible security alert that requires further investigation to ensure that the action is legitimate and doesn’t indicate misuse or unauthorized access. Key investigation pointers include confirming the identity and usual activity of the user, examining the attached policy for sensitive permissions, and analyzing the source and behavior patterns associated with the action. This helps in identifying if the policy attachment is a part of routine administrative tasks or a malicious attempt to escalate privileges within the AWS environment.