This detection rule identifies potential enumeration activities involving AWS EC2 data by monitoring AWS CloudTrail logs. The rule specifically targets a range of AWS resources, including instances, security groups, elastic IPs, VPN gateways, dedicated hosts, and network configurations. It checks for API calls related to describing various AWS infrastructure components such as VPCs, NAT gateways, and subnets. By filtering events within the last two hours from IAM user accounts, the rule effectively captures potentially unauthorized reconnaissance attempts on AWS accounts. The logic is implemented in a Snowflake SQL format that retrieves the specific events of interest to detect potential threats of cloud infrastructure discovery and assessment by unauthorized users or attackers.