This detection rule targets activities related to the modification of Amazon EC2 snapshot attributes, primarily focusing on API actions that might indicate unauthorized sharing of snapshots with external accounts. The rule is structured to catch instances where users alter the visibility or permissions of EC2 snapshots, as this behavior has been associated with potential data exfiltration activities. It leverages AWS CloudTrail logs to identify any instances of the `ModifySnapshotAttribute` action taken within the last hour. Given the critical nature of snapshots as backups and recovery tools, any unexpected modifications can expose sensitive data to unauthorized users. If false positives occur—often due to legitimate intra-organization sharing—an exemption can be created based on known behaviors. Investigative steps suggest checking user activities and associated alerts, confirming actions with account owners, and assessing if the behavior aligns with organizational policies. Following detection, a comprehensive incident response plan is recommended, including disabling accounts if suspicious modifications are confirmed and analyzing the potential impact of unauthorized access.