Unlike in the past, the user has started creating instances. This action may indicate of a presence of an unauthorized actor in the cloud environment, since this is an unusual activity of the role.
Recommended Mitigation
It is recommended to review relevant AuditLog event and principal that issued this API call to determine if this is a legit activity.
