This detection rule identifies potential exfiltration attempts involving EC2 snapshots in AWS. Specifically, it focuses on changes made to the permissions of EC2 snapshots that enable access from external AWS accounts. By monitoring the CloudTrail logs for events where the event source is 'ec2.amazonaws.com' and the event name is 'ModifySnapshotAttribute', the rule is able to detect suspicious modifications that might indicate a security risk. Given that altering snapshot permissions could lead to unauthorized access or data leaks, this rule is essential for maintaining the security posture in AWS environments, particularly in preventing unintentional data exposure during backup operations. Because valid changes to permissions may also occur, the rule includes context for possible false positives, particularly legitimate administrative actions by authorized users or processes.