This rule detects successful AWS STS GetFederationToken requests where the request_parameters reference AdministratorAccess. GetFederationToken issues temporary credentials bound by the calling IAM user’s permissions and an optional inline session policy. Referencing or embedding AdministratorAccess in the session policy (or an equivalent policy ARN/JSON name) is typically over-privileged for federation use and may indicate privilege abuse, misconfiguration, or automation with broad rights. The rule triggers on CloudTrail data for AWS STS GetFederationToken, focusing on events where the request parameters contain AdministratorAccess, and captures the resulting credentials flow for correlation. It applies a lookback window (from now minus 6 minutes) across filebeat-* and logs-aws.cloudtrail-* indices. Investigative fields include timestamp, user details, source IP, user_identity, action, outcome, region, request_parameters, and response_elements to enable rapid triage and linkage to IAM changes or data-plane access seen in the same source window. The detection maps to MITRE ATT&CK techniques T1548.005 (Temporary Elevated Cloud Access) under Privilege Escalation and T1550.001 (Application Access Token) under Lateral Movement, highlighting the abuse potential of elevated cloud credentials. The rule carries a risk score of 73 and a severity of high, reflecting the high impact of issuing broad temporary credentials. Triage and analysis guidance cover parsing policy and duration in request_parameters, validating federation necessity, and cross-referencing with subsequent credential usage and IAM changes. Remediation steps include revoking or rotating involved IAM keys, enforcing least-privilege in session policies, and replacing broad policies with restricted ones after documented approvals. False positives are possible in uncommon legitimate workflows; if encountered, confirm ownership and refine policies accordingly. References point to AWS STS GetFederationToken documentation and temp credentials guidance.