Detects successful AWS IAM API calls that create a new customer managed policy version (CreatePolicyVersion) or set the default version (SetDefaultPolicyVersion). These actions can enable attackers with iam:CreatePolicyVersion or iam:SetDefaultPolicyVersion on privileged policies to inject a permissive policy document and activate it, effectively escalating permissions without attaching a new policy. The rule targets CloudTrail events (aws.cloudtrail) where event.provider is iam.amazonaws.com, event.action is CreatePolicyVersion or SetDefaultPolicyVersion, and event.outcome is success. It excludes automated or known infrastructure tooling (e.g., AWSService identities, Terraform, CloudFormation, Service Catalog) to reduce noise. Investigation focuses on policyArn, policyDocument (if present), and setAsDefault; maps the policy to attached users/groups/roles, prioritizes admin/break-glass principals, compares against prior versions for broader Actions/Resources, and analyzes user identity, source IP, and user agent to distinguish interactive from automated activity. Correlation with AttachUserPolicy/AttachRolePolicy or CreatePolicyVersion spikes helps validate a coordinated attack. Remediation involves reverting to a known-good version, deleting or detaching malicious versions, and revoking excess iam:* permissions from the actor. False positives include routine policy versioning in mature environments. References include AWS API docs and MITRE ATT&CK mappings (T1098 Account Manipulation; T1548.005 Temporary Elevated Cloud Access).