Detects successful AWS STS AssumeRoleWithWebIdentity events where the caller identity is a Kubernetes service account (system:serviceaccount:<namespace>:<sa>) and the source ASN organization is present but not Amazon (non-Amazon ASN). In EKS with IAM Roles for Service Accounts (IRSA), service accounts can obtain AWS credentials via web identity; however, an external ASN can indicate token exfiltration or out-of-cluster use. The rule matches CloudTrail events from sts.amazonaws.com with action AssumeRoleWithWebIdentity and outcome: success, requiring user.name to match system:serviceaccount:* and source.as.organization.name not starting with Amazon. It uses CloudTrail data streams (aws.cloudtrail) to identify the event and provides enrichment fields (e.g., user_identity, resources, source network metadata) to aid investigations. MITRE ATT&CK: T1078 (Cloud Accounts), as an Initial Access technique. Triage guidance covers validating event.parameters, correlating with workload identity, and checking for token exposure or misuse; remediation suggests revoking the session, rotating IRSA trust relationships, and tightening permissions. False positives may arise from egress paths (corporate proxies, VPNs, non-AWS NATs) that attribute non-Amazon ASNs while remaining legitimate; exclusions or additional allowlists can be tuned. The rule is designed for cloud-native environments using AWS CloudTrail data and Kubernetes workloads with IRSA, emphasizing cross-environment credential use and potential token compromise.