This detection rule is designed to identify and alert on potentially malicious manipulations of Amazon S3 buckets within an AWS environment based on CloudTrail logs. Manipulation activities that could suggest unauthorized changes by a compromised account or an insider threat are the focus of this rule. Specifically, it tracks various events related to the modification of bucket configurations, which include changes to access control lists (ACLs), bucket policies, CORS configurations, lifecycle policies, replication settings, and even the deletion of buckets themselves. The logic utilizes a SQL-like syntax to filter CloudTrail logs for specific event names that indicate S3 bucket manipulation that occurred within the last two hours. This timeliness is crucial as it helps organizations react quickly to potential incidents of misuse that could lead to data breaches or loss. The rule covers multiple techniques identified by MITRE ATT&CK, making it robust against diverse threat vectors in cloud environments.