Detects manual initiation of Amazon RDS (Aurora) cluster failovers by analyzing AWS CloudTrail events. The rule flags FailoverDBCluster (cluster failover) and FailoverGlobalCluster (global cluster failover) API calls that originate from a management action and were triggered by specific users. It differentiates normal activity from potential disruption by (1) aggregating failover events within the last 24 hours by the initiator (user ARN), (2) checking if the initiator has performed failovers in the past 90 days to assess baseline behavior, and (3) examining health or modification events in the 30 minutes preceding the failover to determine if the action correlates with a recovery scenario. Deduplication within a 60-minute window reduces noise. The rule includes sample test events demonstrating both cluster and global failovers as true positives and an authorization failure as a negative case. It maps to MITRE ATT&CK technique TA0040:T1499 (Endpoint Denial of Service) to highlight potential disruption risk. This detection helps identify disaster-recovery testing, operational troubleshooting, or attempted interruption of service for RDS resources in AWS. Runbook steps guide deriving per-user failover activity, validating normalcy, and correlating with health events, supporting incident response and post-event analysis. The rule is labeled Experimental with Medium severity and leverages CloudTrail as the data source to monitor AWS management-plane activity on RDS resources.