This rule is designed to detect sensitive or unusual API calls made through AWS Virtual Private Cloud (VPC) Endpoints. It specifically targets API calls that may signify lateral movement, reconnaissance, or other potentially malicious activities within a cloud environment, and is applicable for logs from AWS services such as CloudTrail, EC2, KMS, S3, and Secrets Manager. By monitoring real-time activities, it enables organizations to identify and mitigate threats that exploit VPC configurations to gain unauthorized access or manipulate resources. The rule analyzes various attributes from API logs, including the identity of the user making the call, the service affected, and the specific API action invoked. If the API actions are classified as sensitive, further investigation is triggered to determine if they align with expected behavior. There are specific steps outlined in the accompanying runbook for analysts to follow, ensuring a standardized response to potential threats. The rule also highlights the need for stringent configuration of VPC Endpoints to limit unauthorized access. Additionally, it integrates with MITRE ATT&CK techniques which help categorize and understand the potential attack vectors used by threat actors.