Detects the first-time use of a long-term AWS IAM access key (prefix AKIA*) from a given source IP within a defined history window in CloudTrail. The rule operates as a New Terms detection: it looks for successful AWS API calls that authenticate with a long-term access key (AKIA*) and verifies that this specific key–source IP combination has not appeared together in the historical window (history_window_start = now-10d). It explicitly excludes temporary credentials (prefix ASIA*) and console sessions to emphasize programmatic access patterns (CLI/SDK/automation). When a first-seen combination is identified, the rule raises an alert, mapping to credential access and initial access tactics in MITRE ATT&CK (T1552 Unsecured Credentials, T1078 Cloud Accounts). The rule uses CloudTrail data (logs-aws.cloudtrail-*) and surfaces investigation fields such as aws.cloudtrail.user_identity.arn, user_identity.type, access_key_id, source.ip, source.geo, user_agent.original, event.action, and event.outcome to aid triage. Recommended follow-up includes validating the key owner, checking for key rotation, correlating with IAM activity (GetAccessKeyLastUsed), and reviewing network context (source IP/geography, MFA policies). False positives can arise from legitimate travel, VPN changes, CI runners, or new automation hosts; mitigate by baselining automation networks and applying appropriate exceptions. This rule is a New Terms signal intended to surface potential credential abuse before broader compromise, enabling rapid containment and credential hygiene actions such as key rotation and enforcing MFA for console access or adopting temporary credentials for workloads.