Tag
This rule detects the first time a principal calls AWS CloudFormation CreateStack or CreateStackInstances API, potentially indicating malicious resource deployment by an attacker with elevated privileges.