Detects when an IAM role is added to an Amazon RDS instance or Aurora cluster by monitoring AWS CloudTrail events AddRoleToDBInstance and AddRoleToDBCluster. While these operations are legitimate for features like S3 import/export, attackers may attach overly permissive roles to maintain access or escalate privileges for data exfiltration. The rule watches for AddRoleToDBInstance/DBCluster events that attach a role to a database resource, capturing details such as the role ARN and the target DB resource. It leverages historical context to distinguish normal behavior (e.g., a user who has added roles to databases within the last 90 days) from anomalous activity and correlates with subsequent database activity (data export or modification) within 48 hours of the role addition. Deduplication is applied with a 60-minute window to reduce noise. The runbook guides triage steps: (1) identify IAM role additions by user ARN in the past 24 hours, (2) compare against 90-day history of role additions to databases to assess normalcy, and (3) look for related data export or modification operations in the 48 hours following the role addition. The rule aligns with MITRE ATT&CK techniques TA0003:T1098.001 and TA0004:T1078.004. References include AWS RDS S3 Import/Export guidance. This rule is marked Experimental with Medium severity and is designed to help detect persistence or privilege escalation via additional cloud credentials on RDS resources.