diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
new file mode 100644
index 000000000..c71e33e4d
--- /dev/null
+++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
@@ -0,0 +1,66 @@
+[metadata]
+creation_date = "2021/05/17"
+maturity = "production"
+updated_date = "2021/10/05"
+integration = "aws"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
+AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
+"""
+false_positives = [
+    """
+    Automated processes that uses Terraform may lead to false positives.
+    """,
+]
+index = ["filebeat-*", "logs-aws*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Security Token Service (STS) AssumeRole Usage"
+references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+risk_score = 21
+rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and 
+aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"