The rule detects instances where an Amazon Machine Image (AMI) is shared with another AWS account, identifying potential data exfiltration risks. Sharing AMIs is common in AWS environments for collaboration; however, adversaries can exploit this feature to exfiltrate sensitive data such as secrets, code artifacts, and more. The implementation of this detection rule utilizes AWS CloudTrail logs to monitor events related to sharing AMIs. The key triggering action is 'ModifyImageAttribute', which changes the attributes of an AMI to include additional user accounts for sharing. The rule is designed to alert security teams to review and validate any authoized sharing action before escalating potential unauthorized behavior. It includes triage and investigation recommendations to confirm the legitimacy of sharing activities and emphasizes monitoring and policy update actions to bolster security practices for AMI management.