The rule detects the addition or modification of ingress rules for VPC security groups in AWS EC2, specifically those that allow traffic from any IP address ("0.0.0.0/0" or "::/0") to sensitive ports like SSH (port 22) and RDP (port 3389). This can greatly widen the attack surface and increase the risk of unauthorized access to EC2 instances. Such changes could indicate malicious intent, where adversaries might aim to establish remote access to cloud instances from compromised locations. The rule queries AWS CloudTrail logs for specific actions related to security group modifications, allowing organizations to respond swiftly to potential security breaches. The rule includes guidance on investigation steps, false positive analysis, and response actions to manage unauthorized changes effectively.