This rule detects cross-region AWS RDS snapshot copies by monitoring CloudTrail (AwsApiCall) events for CopyDBSnapshot and CopyDBClusterSnapshot. Cross-region copies can be legitimate for disaster recovery or sharing, but they also enable potential data exfiltration or exposure to external accounts. The detector analyzes eventName, userIdentity (principalId and type), requestParameters (sourceRegion, sourceDBSnapshotIdentifier, sourceDBClusterSnapshotIdentifier, targetDBSnapshotIdentifier), awsRegion, and recipientAccountId to identify cross-region or cross-account copy operations. It supports correlating with subsequent snapshot sharing events in the target region within 48 hours to identify staged exfiltration or external sharing. The rule uses deduplication over a 60-minute window and triggers when at least one qualifying event is observed (Threshold: 1). It includes test cases for legitimate cross-region copies as positives and in-region copies or failed copies as negatives. It is mapped to MITRE ATT&CK technique TA0010:T1537 (Data transfer to cloud accounts / exfiltration). Runbook steps include verifying historical cross-region copy patterns for the user over 24 hours, assessing normalization of cross-region copies over the past 90 days, and checking for follow-on sharing events in the target region within 48 hours. The rule is focused on AWS CloudTrail data and RDS snapshot operations, and is categorized as Medium severity due to the risk of data exfiltration or unintended exposure, balanced by legitimate DR and sharing use cases. Reference documentation for RDS cross-region snapshot copying is provided for context and validation.