Detects cloud-based lateral movement where a Kubernetes service account authenticates to AWS via AssumeRoleWithWebIdentity and then reuses the same session (access key) to perform a sequence of distinct AWS control-plane actions. The rule correlates events grouped by the AWS access key, requiring at least one initial AssumeRoleWithWebIdentity event followed by three or more post-ass exploit actions across various AWS services. High-volume S3 data-plane activity is excluded to reduce noise. The detection aggregates signals such as the number of assume events, the set of distinct actions, involved phases (initial_access, recon, credential_access, lateral_movement, persistence, defense_evasion), and metadata like source IPs, user names, and timestamps. This enables investigators to identify sessions where an IRSA-based workload obtains short-lived credentials and then probes or manipulates IAM, parameter/secrets stores, or compute resources beyond normal pod traffic. The rule maps to MITRE ATT&CK techniques including Use Alternate Authentication Material (T1550) with its Application Access Token subtechnique, Cloud Services lateral movement (T1021.007), Cloud Service Discovery (T1526), and Cloud Secrets Management Stores (T1555.006). The output is anchored to CloudTrail Cloud account session data (aws.cloudtrail.user_identity.access_key_id) and provides fields to scope the time window, identity, and network context for follow-up triage and remediation (e.g., credential rotation, tightened OIDC trust, reduced service account permissions, and restricted egress).