This detection rule is designed to identify instances where a user assumes an AWS role using a new Multi-Factor Authentication (MFA) device. The rule targets the AWS Security Token Service (STS) AssumeRole API, enabling users to obtain temporary credentials for accessing AWS resources. While the use of a new MFA device may not necessarily indicate malicious activity, it warrants scrutiny as attackers could exploit this method for persistence and privilege escalation. The rule articulates investigation steps to verify the legitimacy of the role assumption and the new MFA device, alongside potential responses to unauthorized access attempts. Mitigating false positives related to legitimate administrative actions or new employee onboarding processes is emphasized, aiming to fine-tune detection accuracy without hindering operational workflows.