This rule detects excessive usage of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3 buckets, which may indicate malicious activities such as ransomware attempts to lock data by encrypting objects using compromised credentials. The detection is based on a threshold rule that triggers when more than 20 encryption events are observed for a specific bucket within a short time, implying possible malicious intent. The rule is intended to help security analysts investigate potential unauthorized access and ascertain whether the encryption actions align with legitimate operational practices. Investigation steps include reviewing user identity, examining target resources, evaluating encryption behavior, correlating with recent events, validating access permissions, assessing the impact of the encryption, and refuting false positives related to legitimate usage of SSE-C. The rule is applicable in environments with AWS configured to log these data events via AWS CloudTrail, thereby ensuring continuity of monitoring throughout potential incidents.