This rule detects potential brute-force attacks targeting AWS by identifying IP addresses that have 20 or more failed authentication attempts to the AWS Web Console within a 5-minute timeframe. It analyzes AWS CloudTrail logs for failed login attempts, aggregates them by IP address, and alerts security teams if an unusually high number of attempts is detected, suggesting possible unauthorized access attempts or account takeover activities. Proper tuning of the thresholds and time spans used in this detection will enhance its effectiveness and reduce false positives, which may occur from legitimate application errors.