This detection rule identifies suspicious `PutBucketLifecycle` events recorded in AWS CloudTrail logs, specifically instances where a user establishes a lifecycle rule on an S3 bucket with an expiration period set to less than three days. This type of activity raises red flags as it could indicate an attempt by malicious actors to delete CloudTrail logs swiftly, thereby circumventing detection mechanisms and hindering forensic analysis. By leveraging CloudTrail logs, the rule examines the configuration of lifecycle policies to pinpoint any potentially harmful actions taken by users. If such actions are confirmed as malicious, they pose a significant risk, allowing attackers to erase traces of their activity, complicating the response and investigation process. To implement this detection effectively, users must ensure CloudTrail logging is enabled and properly configured within their AWS environment, allowing for thorough tracking and monitoring of potentially harmful lifecycle configurations.