Product
This rule detects the uploading of new SSH public keys to AWS EC2 instances using the EC2 Instance Connect service, which could indicate an adversary attempting to maintain access, escalate privileges, or move laterally within the cloud environment.