This rule detects when an AWS RDS snapshot export is initiated via StartExportTask to an S3 bucket, highlighting potential exfiltration of a database snapshot to a bucket under an attacker or insider's control. It inspects CloudTrail events (eventSource rds.amazonaws.com, eventName StartExportTask) and captures critical parameters such as sourceArn (the snapshot), s3BucketName, s3Prefix, iamRoleArn, kmsKeyId, and exportOnly, along with responseElements like status and exportTaskIdentifier. The detection emphasizes suspicious exports by validating the workflow: (1) review all API activity by the user ARN in the prior 24 hours to establish baseline behavior; (2) check if the target S3 bucket has been accessed by that user in the last 90 days; (3) search for other StartExportTask or snapshot-related operations by the same user within the past 7 days. The rule includes test blocks for a legitimate export, an export to a suspicious external bucket, and a failed export due to access denial. It uses a 60-minute dedup window and requires at least one matching event (Threshold: 1) to trigger. It maps to MITRE ATT&CK TA0010:T1537 (Exfiltration to Cloud Storage). Alerts report fields such as eventName, userIdentity:principalId, requestParameters:s3BucketName, requestParameters:sourceArn, and p_any_aws_account_ids. Overall, the rule helps identify potential exfiltration of database contents to cloud storage via RDS snapshot exports and prompts investigators to review IAM roles, bucket permissions, and abnormal export activity.