This detection rule identifies unauthorized attempts to disable or schedule the deletion of AWS KMS Customer Managed Keys (CMKs). Deleting a KMS key is an irreversible action that results in the loss of access to any data encrypted with that key, posing potential risks to data security. The rule leverages AWS CloudTrail logs to monitor for specific API actions related to the KMS service: `DisableKey` and `ScheduleKeyDeletion`. Alerts will be triggered when successful attempts are detected, allowing security teams to respond quickly to potential data loss incidents. The rule includes guidelines for triaging alerts and recognizing false positives from legitimate administrative actions, thereby enhancing the effectiveness of incident response.