Detects when an AWS RDS instance or cluster is modified to become publicly accessible via CloudTrail events (ModifyDBInstance/ModifyDBCluster with publiclyAccessible set to true). An internet-exposed database surface can enable persistence or data exfiltration by actors. The rule detects real-time modification events and correlates them with prior access patterns and subsequent external connection attempts. It supports automatic guidance for containment: revert publiclyAccessible to false if unauthorized, review VPC security groups for overly permissive rules (0.0.0.0/0), and inspect DB logs for external access attempts. The rule also cross-references related API activity within defined windows to identify suspicious behavior, and maps to relevant MITRE ATT&CK techniques for defense coverage.