Detects AWS KMS events where imported key material is deleted via the DeleteImportedKeyMaterial API, indicating immediate loss of access to data encrypted with BYOK-origin keys. The rule ingests CloudTrail management events (aws.cloudtrail) where kms.amazonaws.com reports DeleteImportedKeyMaterial with a successful outcome and is not a service-initiated action. Deleting imported material transitions the key to a PendingImport state and makes all data encrypted under that key unusable with no recovery window, unlike ScheduleKeyDeletion which imposes a delay. This makes the action high-risk and potentially destructive, aligned with data destruction or ransomware behavior when performed by an unexpected principal. The detection focuses on external-origin keys (BYOK) where the material is under customer control and, due to its rarity, warrants prompt review if observed outside a planned lifecycle.