This rule detects the unauthorized deletion of AWS RDS database snapshots, which are crucial for data recovery. It monitors AWS CloudTrail logs for successful actions related to snapshot deletion (`DeleteDBSnapshot`, `DeleteDBClusterSnapshot`) and modifications to the `DBInstance` where the `backupRetentionPeriod` is set to `0`. This setting disables automated backups and is akin to deleting critical data backups which could lead to data loss. Such activities could signify malicious intent to erase vital data, necessitating thorough investigation to determine the legitimacy of the actions and potential unauthorized access. The rule highlights the importance of having a proper oversight on snapshot management practices, safeguarding against both accidental and malicious deletions.