This rule detects destructive actions against AWS Backup backups by monitoring AWS CloudTrail management events for DeleteBackupVault and DeleteBackupVaultLockConfiguration. Deleting a backup vault removes the container that stores recovery points, and removing Vault Lock disables the WORM immutability that protects those points until retention expires. Together, these actions undermine anti‑ransomware controls and are rare in normal operations, making them high‑risk signals. The rule focuses on events from the AWS Backup service with a successful outcome, excluding routine service activity, and requires ingestion via the CloudTrail integration. It supports rapid triage and containment by correlating Vault and lock changes with subsequent recovery point deletions and other destructive activity.