diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
index 3c38c959e..f80470509 100644
--- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
+++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
@@ -10,15 +10,12 @@ logsource:
     service: cloudtrail
 detection:
     selection1:
-        eventSource: iam.amazonaws.com
-        eventName: PassRole
-    selection2:
         eventSource: lambda.amazonaws.com
         eventName: CreateFunction
-    selection3:
+    selection2:
         eventSource: lambda.amazonaws.com
         eventName: InvokeFunction
-    condition: selection1 and selection2 and selection3
+    condition: selection1 and selection2
 level: low
 tags:
     - attack.privilege_escalation