This detection rule identifies potential brute force attempts to assume an AWS Identity and Access Management (IAM) role by monitoring CloudTrail logs for multiple failed attempts. It specifically looks for failure events associated with the error code `MalformedPolicyDocumentException`, which indicates improper policy documents during the assume role requests, while filtering out legitimate AWS service activity. The presence of repeated failures suggests that an adversary might be trying to enumerate or guess IAM role names, thereby gaining unauthorized access to AWS resources, which can lead to severe security breaches if successful. Security teams are encouraged to tune this detection to minimize false positives stemming from legitimate access attempts, particularly by focusing on known source addresses or user groups, and to correlate findings with other data sources to ensure comprehensive visibility into potential security incidents.