This detection rule monitors S3 bucket versioning status by identifying when versioning has been suspended or disabled on AWS S3 buckets. The suspension of versioning removes the capability to restore previous versions of objects, making it a critical event to track as it may precede data destruction operations commonly associated with ransomware attacks. The rule leverages AWS CloudTrail logs to audit S3 API calls that can indicate potential threats to the integrity of data stored in S3 buckets. The detection includes specific queries to check for deletion events of objects after the suspension of versioning and correlates these with other security configuration changes to identify patterns of abuse or misconfiguration that may signal an attack.