This rule detects unauthorized AWS console login attempts that are executed without the use of Security Assertion Markup Language (SAML) or Single Sign-On (SSO). SAML is a protocol that allows organizations to provide users with a simpler and more secure way to log in, particularly in enterprise environments. A successful console login without using SAML can indicate a potential security risk, as it bypasses the established authentication methods that are encouraged for use in AWS accounts. The rule leverages AWS CloudTrail logs for monitoring and operational visibility of user login activity and ensures that logins meet the expected SAML/SSO criteria. If a login occurs without SAML involved, the rule triggers an alert that prompts further investigation into the nature of that login attempt, potentially identifying unauthorized access or misconfigurations in account settings. Moreover, organizations are advised to modify their AWS configurations to enforce the use of SAML wherever possible, thereby reducing the attack surface against initial access events like valid account exploitation. The reference link contained in the rule provides guidance on enabling console login with SAML for compliant configurations.