This detection rule is focused on identifying unauthorized password resets for the master user of Amazon RDS (Relational Database Service) instances. It utilizes AWS CloudTrail logs processed through Amazon Security Lake to detect instances of the `ModifyDBInstance` API call that includes a new `masterUserPassword` value. The ability for attackers to reset master passwords poses a significant risk, as it can provide unapproved access to sensitive data, including financial information, personal identifiable information (PII), and medical records. Prompt investigation of these events is critical to maintaining data security and compliance with regulatory standards, as unauthorized resets could lead to substantial data breaches and damage to reputation. The implementation of this rule involves leveraging specific Splunk queries to filter and analyze the relevant API calls and user activities reported in CloudTrail logs. It is essential for organizations to have adequate visibility into such operations to mitigate the risks associated with credential mismanagement.