The AWS RDS Instance Deletion rule detects deletion operations in AWS CloudTrail for RDS resources (both DB instances and DB clusters). It flags DeleteDBInstance and DeleteDBCluster events that permanently remove data, including scenarios where a final snapshot is not taken. This covers deletions of individual instances or clusters and warns when deletions could lead to data loss, potentially indicating ransomware, insider threats, or credential abuse. The rule differentiates successful deletions from failed attempts (e.g., AccessDenied) which should not trigger an alert. It also incorporates identity and parameter indicators (user principal, resource identifiers, and skipFinalSnapshot status) to support correlation and deduplication across alerts. Runbooks emphasize examining precursor actions (within 48 hours), historical deletion patterns (past 90 days), and deletion protection changes (within 24 hours). MITRE mappings point to data destruction-focused techniques. The rule is designed for CloudTrail data feed and deduplicates alerts within a 60-minute window, triggering on a single qualifying event.