This rule detects deletion of Amazon RDS snapshots by monitoring AWS CloudTrail events. It specifically flags management API calls DeleteDBSnapshot and DeleteDBClusterSnapshot, which delete manual or cluster backups. The detection considers a 60-minute de-duplication window and treats a single snapshot deletion as noteworthy (Threshold: 1) while also allowing correlation for bulk deletion patterns over a 24-hour horizon. The Runbook describes follow-up checks: determine if the deleted snapshot(s) were shared with external accounts in the prior seven days, and investigate related database modification or deletion events from the same user within a two-hour window after the deletion. These signals align with adversarial objectives such as data destruction and credential or evidence removal to impede recovery and suppress exfiltration visibility. The rule maps to MITRE techniques Data Destruction (TA0040/T1485) and Indicator Removal (TA0005/T1070). Positive test cases include DeleteDBSnapshot and DeleteDBClusterSnapshot events by various identities, illustrating legitimate and potentially malicious activity; negative cases include a failed deletion due to invalid state and an unrelated CreateDBSnapshot event, ensuring the rule does not trigger on non-matching activity. Overall, the rule aims to detect attacker-driven or compromised-identity-backed backup deletion as a potential ransomware readiness or data exfiltration concealment signal within AWS RDS ecosystems.