This is the list of what AWS detect via Amazon GuardDuty (referred to as 'findings' for some reason). Not a lot of detail as to the logic but worth considering, if you are doing detection in another product, whether your use cases would cover the same events.

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html

Detecting AWS Unauthenticated Cross-Account Attacks. A bit Logrhythm specific but a useful read

https://logrhythm.com/blog/detecting-aws-unauthenticated-cross-account-attacks/

Rules in various SIEM platforms that apply to AWS use cases. Fairly easy to apply the same logic in whatever platform you are using.

Elastic

https://github.com/elastic/detection-rules/tree/main/rules/integrations/aws

Sentinel

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AWSCloudTrail

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AWSGuardDuty

Splunk

https://github.com/splunk/security_content/tree/develop/detections/cloud