This detection rule identifies the launching of AWS EC2 instances from Amazon Machine Images (AMIs) that contain vulnerable versions of the XZ compression tool, specifically those affected by CVE-2024-3094. The vulnerability, affecting versions 5.6.0 and 5.6.1, could potentially allow for exploitation due to flaws in the image itself. The rule is set to trigger when instances are launched with these specific AMIs, and includes a runbook outlining verification steps for the vulnerability, alongside instructions to terminate affected instances and launch new ones with secure AMIs. It utilizes AWS CloudTrail logs to monitor instance launch events and provides conditions for detecting both single and multiple instances launched from vulnerable AMIs. The rule is classified as critical due to the severe implications of using compromised AMIs in cloud environments.