The AWS CreateSnapshot detection rule focuses on identifying unauthorized usage of the CreateSnapshot API call, which is integral in managing Elastic Block Store (EBS) volumes within Amazon Web Services (AWS). Snapshots serve as point-in-time backups of EBS volumes, facilitating data recovery and scalability. However, adversaries may exploit this functionality to create snapshots of volumes containing sensitive data without direct access to the EC2 instances. The detection logic involves querying AWS CloudTrail logs for CreateSnapshot events, aggregating relevant contextual data such as user identity, source IP, and request parameters. This structured approach aids in uncovering potentially malicious activities related to data extraction from cloud storage, thus enhancing cloud security posture against lateral movement attacks. The technique used corresponds to T1530 under the MITRE ATT&CK framework, underscoring its relevance in threat detection.