Detects AWS access keys used from GitHub Actions CI/CD infrastructure and from non-CI/CD infrastructure by inspecting AWS CloudTrail events. The rule flags when the same AWS access_key_id appears in activity tied to GitHub Actions runners (identified via the github-actions user agent or Microsoft ASN) and separately from infrastructure outside the expected CI/CD provider ASNs. This pattern strongly indicates credential theft where secrets stored in GitHub are exfiltrated and used from attacker-controlled environments. The detection window covers the last 7 days with a 1-hour dedup window, requiring both signals to be present for a match. The rule outputs investigation-relevant fields such as the access_key_id and the associated user/name to facilitate follow-up. It maps to MITRE ATT&CK techniques: T1078.004 Cloud Accounts (Initial Access) and T1550.001 Application Access Token (Lateral Movement via alternate authentication material), with activity framed as AWS API calls (e.g., sts:GetCallerIdentity followed by enumerations). The intent is to surface credential exposure and misuse stemming from GitHub Actions secrets used outside CI/CD infrastructure, enabling rapid containment and remediation.