This rule detects the use of the IAM `AttachUserPolicy` API operation applied to attach AWS managed policies `CompromisedKeyQuarantine` or `CompromisedKeyQuarantineV2` to an existing IAM user. These policies restrict access to critical AWS actions due to potential compromises or exposure of an IAM user's credentials. The detection is set up to trigger on successful attempts to attach these policies, indicating that AWS is taking precautionary measures in response to compromised credentials. The rule emphasizes the importance of investigating the incident through specified triage steps, including reviewing CloudTrail logs, understanding the context of the quarantine via AWS support cases, and ensuring an appropriate response to mitigate further risks.