This rule detects AWS RDS snapshot enumeration attempts by monitoring CloudTrail events for DescribeDBSnapshots and DescribeDBClusterSnapshots where requestParameters includePublic or includeShared are true. Such flags indicate reconnaissance to identify publicly accessible or shared snapshots that may contain sensitive data. The rule flags activity when these enumeration requests originate from a specific user or principal within the past 6 hours, and it correlates the source IP against known VPN or proxy services. It also looks for follow-on snapshot copy or restore actions from the same user within 24 hours, helping to establish whether enumeration was used to exfiltrate or compromise data. Deduplication is applied with a 60-minute window to reduce noise. The rule maps to MITRE ATT&CK technique T1580 (Acquire Infrastructure/Obtain Capabilities) and outputs key attributes such as eventName, userIdentity, includePublic/includeShared flags, sourceIPAddress, and involved AWS account IDs to support investigation and response.