This detection rule identifies the disabling of Multi-Factor Authentication (MFA) Delete functionality for Amazon S3 buckets, which is a critical security measure designed to protect versioned objects from unauthorized deletion. Disabling MFA Delete can signify potential preparation for ransomware attacks or data exfiltration events. The rule utilizes AWS CloudTrail logs to track changes within S3 API calls that occur before and after MFA Delete is turned off. The associated runbook provides actionable steps for security analysts to investigate suspicious operations, checking for bulk deletions and other security controls changes that could lead to data compromise. The rule categorizes its findings under the MITRE ATT&CK framework, focusing on defense evasion and impacts related to data destruction.