This detection rule identifies instances of SSH public key uploads to AWS EC2 instances via the EC2 Instance Connect service, an action that may indicate malicious activity aimed at maintaining or gaining unauthorized access. The rule looks for specific AWS API calls, namely 'SendSSHPublicKey' and 'SendSerialConsoleSSHPublicKey', which typically log user attempts to upload or manage SSH keys. It emphasizes the importance of closely scrutinizing these actions, as they may signal adversaries attempting to manipulate access, particularly given the automatic nature of these uploads when connecting to instances through EC2 Instance Connect. Investigations should include reviewing user credentials, analyzing request details and geographic source of requests, correlating with other activities, and conducting audits of permissions and policies for EC2 instances.