diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
new file mode 100644
index 00000000000..43c758273bb
--- /dev/null
+++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2021/05/17"
+maturity = "production"
+updated_date = "2021/07/24"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and 
+escalate privileges.
+"""
+false_positives = [
+    """
+    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user 
+    agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or 
+    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+index = ["filebeat-*", "logs-aws*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS GetSessionToken Abuse"
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html",
+]
+
+risk_score = 21
+rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and 
+aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"