Detects deletion of AWS RDS automated backups (both DBInstanceAutomatedBackup and DBClusterAutomatedBackup) by monitoring CloudTrail events from AWS RDS. The rule flags potential defense evasion or data destruction when automated backups are deleted, a common ransomware tactic used to hinder recovery. Key signal includes CloudTrail entries with eventSource rds.amazonaws.com and eventName DeleteDBInstanceAutomatedBackup or DeleteDBClusterAutomatedBackup, accompanied by managementEvent and a relevant requestParameters (dbiResourceId or dbClusterResourceId) and a corresponding backup ARN in responseElements. The detection applies to both IAM users and assumed roles, with a DedupPeriodMinutes of 60 and a Threshold of 1, meaning a single matching event can generate an alert. The rule is linked to MITRE ATT&CK techniques TA0040:T1485 and TA0040:T1490. The included tests illustrate two positive outcomes (an attacker using an assumed role and a malicious IAM user) and negative cases (config/varying permissions or non-backup deletions). Runbook guidance focuses on rapid triage and correlation: (1) within the past 24 hours, identify automated backup deletions by the involved user ARN to spot bulk patterns; (2) determine if this user has deleted backups in the past 90 days to assess normal behavior; (3) inspect for database deletions or modifications by the same user within 6 hours after the backup deletion to corroborate impact. Reference provided to AWS documentation on Automated Backups.