The rule identifies potential misuse of Kubernetes Role-Based Access Control (RBAC) authorizations by different user accounts within Amazon EKS clusters. Using AWS CloudWatch logs, this rule captures actions taken by users with elevated privileges, highlighting any unintended or unauthorized granting of sensitive roles. The search query filters and displays relevant data, allowing security analysts to investigate patterns in RBAC usage. Notably, the findings from this rule can be misleading, as not all RBAC authorizations are inherently malicious; rather, the focus is on detecting uncommon patterns that may signify abuse of privilege or an escalation attempt. Analysts can modify the search to emphasize the most or least active users concerning their RBAC authorizations, providing insights into abnormal behaviors.