Cloud CDR: IAM Privilege Escalation — High-Risk API Operations

Detects sequences of high-risk cloud API calls used in IAM privilege escalation across AWS, Azure, and GCP. Aligned with CrowdStrike Real-Time Cloud Detection & Response capabilities announced in April 2026. Covers the standard cloud attacker playbook: role creation with modified trust relationships, permanent access key generation, attaching permissive policies, and adding users to privileged groups.