This rule is designed to detect when a user attaches a policy to a different role's trust policy within AWS, a behavior that could signify unauthorized access or intentional privilege escalation. The analytic utilizes CloudWatch logs to monitor for the `attach policy` event. It extracts pertinent fields including `policyArn`, `sourceIPAddress`, and `userIdentity`, which help pinpoint the user involved and context of the action. This is critical as such activity may allow an attacker to gain elevated permissions unexpectedly, posing a risk to sensitive AWS resources and data. By analyzing user behavior and associated actions within the AWS infrastructure, the rule helps identify potential lateral movement by malicious actors. The implementation involves utilizing existing Splunk infrastructure and AWS Cloud logs, and adjustments can be made to filter out known benign activities that may trigger noise in the detection alerts.