diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml
new file mode 100644
index 000000000..c09c19388
--- /dev/null
+++ b/rules/cloud/aws_cloudtrail_disable_logging.yml
@@ -0,0 +1,23 @@
+title: CloudTrail's Trail important change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+author: vitaliy0x1
+description: Detects disabling, deleting and updating of a Trail
+references:
+  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+  service: CloudTrail
+detection:
+  selection_source:
+    - eventSource: cloudtrail.amazonaws.com
+  events:
+    - eventName:
+        - StopLogging
+        - UpdateTrail
+        - DeleteTrail
+  condition: selection_source AND events
+level: high
+falsepositives:
+    - Valid change in a Trail
+tags:
+  - attack.t1089
\ No newline at end of file