This rule detects a specific, high-risk configuration change in Amazon EKS where the control plane logging is disabled via an UpdateClusterConfig request. It monitors CloudTrail events from the AWS EKS service (eks.amazonaws.com) where the action is UpdateClusterConfig, the outcome is success, and the request_parameters indicate logging has been disabled (logging.enabled=false or similar). Disabling control plane logs reduces visibility into cluster activity, potentially masking reconnaissance, credential abuse, or post-compromise actions. The rule includes a built-in risk score (47) and medium severity, aligns with MITRE ATT&CK Defense Evasion, specifically T1562.008 (Disable or Modify Cloud Logs), and provides a structured investigation path: verify the caller identity (user.name, user_identity.arn), source IP, user_agent, and cloud context; confirm which log types were affected; correlate with IAM and EKS activity to identify whether the change was approved or malicious. Recommended responses include re-enabling control plane logging, restricting eks:UpdateClusterConfig permissions, rotating credentials, and auditing for related persistence mechanisms. The rule also outlines triage notes, a concise investigation guide, and references to AWS documentation for control-plane logs and the UpdateClusterConfig API, making it actionable for incident response teams.