Tag
Detects successful AWS AssumeRoleWithWebIdentity where the caller identity is a Kubernetes service account and the source autonomous system organization is not Amazon.com, Inc., potentially indicating a stolen or misused service-account token being used off-cluster.