Detects when deletion protection is disabled on Amazon RDS DB instances or clusters by analyzing AWS CloudTrail logs for RDS API calls. Specifically, the rule looks for ModifyDBInstance or ModifyDBCluster events where requestParameters.deletionProtection is set to false (often accompanied by applyImmediately: true) and the corresponding responseElements show deletionProtection: false or a status of modifying. This indicates an attacker or misconfiguration lowered protection against accidental or intentional deletion. The rule aggregates signals across accounts in the 24-hour window and uses a 60-minute dedup window to prevent alert storms. It maps to MITRE ATT&CK techniques for impairing defenses and inhibiting recovery (TA0005:T1562 and TA0040:T1490). The detection supports both RDS DB instances and clusters and is aligned with the rule’s Runbook and references. The rule’s test cases illustrate scenarios including legitimate changes (with prior protection changes in 90 days), protection disabled followed by deletion attempts, protection disabled with exposure (publicly accessible), and benign modifications without protection changes, as well as failed modifications due to insufficient permissions. The detection is designed to trigger on suspicious or unauthorized disabling of deletion protection and to trigger immediate containment actions if needed, including re-enabling deletionProtection:true via ModifyDBInstance or ModifyDBCluster where appropriate. Runbook notes emphasize correlating the modification with prior baseline behavior, evaluating subsequent deletion attempts within a short window, and automatic remediation to restore protections when the change is unauthorized.