falco/test/rules/plugins/cloudtrail_create_instances_exceptions.yaml

- rule: Cloudtrail Create Instance
  desc: Detect Creating an EC2 Instance
  condition: evt.num > 0 and ct.name="StartInstances"
  output: EC2 Instance Created (evtnum=%evt.num info=%evt.plugininfo id=%ct.id user name=%json.value[/userIdentity/userName])
  exceptions:
  - name: user_secreid
    fields: [aws.user, aws.region]
  priority: INFO
  source: aws_cloudtrail