This rule detects potential ransomware or data‑destruction preparation by monitoring AWS S3 bucket security‑control changes in CloudTrail. It flags when two or more distinct security controls are disabled on the same bucket by a single actor within a short window. The controls considered are PutBucketLogging (logging), PutBucketVersioning (versioning), and the MFA Delete setting within versioning. Because disabling Versioning and MFA Delete can occur in a single PutBucketVersioning call (yielding the same event value), the rule uses a threshold of 2 to trigger rather than 3, enabling earlier detection of attacker activity. When triggered, it correlates subsequent risky activity (e.g., DeleteObject, PutBucketEncryption, GetObject) within 6 hours on that bucket and checks if the actor has disabled controls on other buckets in the past week, supporting broader attack pattern detection. The rule maps to MITRE techniques related to credential access and defense-evasion as an indicator of preparation for data destruction. It is intended for AWS CloudTrail data and is tuned for high-severity alerts (Threshold 2, Deduplication window 90 minutes).