This analytic detection rule monitors AWS S3 bucket replication services by examining AWS CloudTrail logs specifically for `PutBucketReplication` API calls. The rule identifies key parameters such as `bucketName`, `ReplicationConfiguration.Rule.Destination.Bucket`, along with user details, to detect potentially unauthorized data exfiltration activities. Enabling replication on an S3 bucket can pose a risk of replicating sensitive data to external accounts, which might lead to data breaches and possible compliance violations, especially if done without proper authorization. By scrutinizing these events, organizations can become aware of unusual data replication actions that deviate from normal operational practices, thereby enabling faster threat response.