This detection rule monitors AWS S3 bucket activities specifically for the use of Server-Side Encryption with Customer-Provided Keys (SSE-C). Threat actors may exploit SSE-C to upload encrypted objects in S3, potentially for the purpose of concealing exfiltrated data. Since the encryption keys are not managed or stored by AWS, this can hinder forensic investigations and detection efforts. The logic applies an analysis on AWS CloudTrail logs to identify any PutObject API calls that utilize the `x-amz-server-side-encryption-customer-algorithm` header, which indicates that client-side encryption is in use. By capturing events that meet this criterion, the rule serves to alert on possible malicious activity, such as data exfiltration, where attackers intend to evade detection by encrypting their uploads with keys they control. Generated outputs include metadata about the events, allowing security teams to link the event to specific attributes, such as user identity and IP location, providing deeper insights into potential risks.