This detection rule identifies instances where access permissions have been removed from an Amazon EC2 Elastic Block Store (EBS) snapshot, which is crucial for data retention and disaster recovery. Adversaries often seek to alter snapshot permissions to obstruct legitimate access, complicating recovery processes following incidents such as ransomware attacks or data loss. The activity is suspicious as it may indicate efforts to maintain exclusive access to critical backups, enhancing the attacker's leverage while hindering incident response efforts. The rule employs ESQL to monitor logs from AWS CloudTrail, looking for successful ModifySnapshotAttribute actions specifically focused on removing access permissions. Investigation steps include verifying the identity of the user making the changes, understanding the context and timing of the actions, and correlating with other activities to determine possible malicious intent. False positives can stem from legitimate administrative actions, thus a thorough analysis and context verification are essential before taking remedial action.