This analytical rule is designed to detect the creation of publicly accessible Amazon S3 buckets through the AWS Command Line Interface (CLI) by monitoring AWS CloudTrail logs. The focus is on identifying events where bucket permissions have been configured to allow access to "AuthenticatedUsers" or "AllUsers". Such configurations may result in unauthorized access to sensitive data, heightening the risk of data breaches. The rule involves a specific search query that filters CloudTrail logs for relevant S3 bucket access control list (ACL) events associated with the AWS CLI. It records the first and last occurrence times of such events, enabling security teams to track potentially malicious activities effectively. The implementation requires the Splunk AWS Add-on and relevant CloudTrail logs. While the rule is expected to provide high-fidelity detections, some organizational contexts may lead to legitimate public bucket configurations, which security teams should evaluate critically.