From 5f4f9d206f205d40b2ff4a2276b8f89a7ea55d2e Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Tue, 20 Jan 2026 16:05:39 -0500
Subject: [PATCH] [Rule Deprecations] AWS Rule Deprecations (#5568)

Completing the Deprecation process for these rules as they have been shipped at least 2 release cycles with "Deprecated - " prefix.

All have the following metadata changes

maturity = "deprecated"
updated_date = "2026/01/16"
deprecation_date = "2026/01/16"
---
 .../defense_evasion_elasticache_security_group_creation.toml | 5 +++--
 ...asion_elasticache_security_group_modified_or_deleted.toml | 5 +++--
 .../exfiltration_ec2_vm_export_failure.toml                  | 5 +++--
 .../aws => _deprecated}/impact_rds_group_deletion.toml       | 5 +++--
 .../impact_rds_instance_cluster_stoppage.toml                | 5 +++--
 .../persistence_rds_cluster_creation.toml                    | 5 +++--
 .../aws => _deprecated}/persistence_rds_group_creation.toml  | 5 +++--
 .../persistence_rds_instance_creation.toml                   | 5 +++--
 .../persistence_redshift_instance_creation.toml              | 5 +++--
 9 files changed, 27 insertions(+), 18 deletions(-)
 rename rules/{integrations/aws => _deprecated}/defense_evasion_elasticache_security_group_creation.toml (98%)
 rename rules/{integrations/aws => _deprecated}/defense_evasion_elasticache_security_group_modified_or_deleted.toml (98%)
 rename rules/{integrations/aws => _deprecated}/exfiltration_ec2_vm_export_failure.toml (98%)
 rename rules/{integrations/aws => _deprecated}/impact_rds_group_deletion.toml (98%)
 rename rules/{integrations/aws => _deprecated}/impact_rds_instance_cluster_stoppage.toml (98%)
 rename rules/{integrations/aws => _deprecated}/persistence_rds_cluster_creation.toml (98%)
 rename rules/{integrations/aws => _deprecated}/persistence_rds_group_creation.toml (98%)
 rename rules/{integrations/aws => _deprecated}/persistence_rds_instance_creation.toml (98%)
 rename rules/{integrations/aws => _deprecated}/persistence_redshift_instance_creation.toml (98%)

diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/_deprecated/defense_evasion_elasticache_security_group_creation.toml
similarity index 98%
rename from rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
rename to rules/_deprecated/defense_evasion_elasticache_security_group_creation.toml
index 9d6962883..c1e11f5a0 100644
--- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
+++ b/rules/_deprecated/defense_evasion_elasticache_security_group_creation.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/07/19"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/18"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Austin Songer"]
diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/_deprecated/defense_evasion_elasticache_security_group_modified_or_deleted.toml
similarity index 98%
rename from rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
rename to rules/_deprecated/defense_evasion_elasticache_security_group_modified_or_deleted.toml
index 2fafeb324..131df9a70 100644
--- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
+++ b/rules/_deprecated/defense_evasion_elasticache_security_group_modified_or_deleted.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/07/19"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/18"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Austin Songer"]
diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/_deprecated/exfiltration_ec2_vm_export_failure.toml
similarity index 98%
rename from rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
rename to rules/_deprecated/exfiltration_ec2_vm_export_failure.toml
index e11d2137f..3f12c0eba 100644
--- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
+++ b/rules/_deprecated/exfiltration_ec2_vm_export_failure.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/04/22"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/10/23"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/_deprecated/impact_rds_group_deletion.toml
similarity index 98%
rename from rules/integrations/aws/impact_rds_group_deletion.toml
rename to rules/_deprecated/impact_rds_group_deletion.toml
index e32c3721b..d922bec30 100644
--- a/rules/integrations/aws/impact_rds_group_deletion.toml
+++ b/rules/_deprecated/impact_rds_group_deletion.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/06/05"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/_deprecated/impact_rds_instance_cluster_stoppage.toml
similarity index 98%
rename from rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
rename to rules/_deprecated/impact_rds_instance_cluster_stoppage.toml
index 912b8d40b..43efe381a 100644
--- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
+++ b/rules/_deprecated/impact_rds_instance_cluster_stoppage.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2020/05/20"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/_deprecated/persistence_rds_cluster_creation.toml
similarity index 98%
rename from rules/integrations/aws/persistence_rds_cluster_creation.toml
rename to rules/_deprecated/persistence_rds_cluster_creation.toml
index d9c4f287d..fe66d72ba 100644
--- a/rules/integrations/aws/persistence_rds_cluster_creation.toml
+++ b/rules/_deprecated/persistence_rds_cluster_creation.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2020/05/20"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/_deprecated/persistence_rds_group_creation.toml
similarity index 98%
rename from rules/integrations/aws/persistence_rds_group_creation.toml
rename to rules/_deprecated/persistence_rds_group_creation.toml
index a0c4e0017..3cacb22e3 100644
--- a/rules/integrations/aws/persistence_rds_group_creation.toml
+++ b/rules/_deprecated/persistence_rds_group_creation.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/06/05"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/_deprecated/persistence_rds_instance_creation.toml
similarity index 98%
rename from rules/integrations/aws/persistence_rds_instance_creation.toml
rename to rules/_deprecated/persistence_rds_instance_creation.toml
index e16598f30..825141393 100644
--- a/rules/integrations/aws/persistence_rds_instance_creation.toml
+++ b/rules/_deprecated/persistence_rds_instance_creation.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2021/06/06"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/21"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/_deprecated/persistence_redshift_instance_creation.toml
similarity index 98%
rename from rules/integrations/aws/persistence_redshift_instance_creation.toml
rename to rules/_deprecated/persistence_redshift_instance_creation.toml
index 091a00a62..5454bf865 100644
--- a/rules/integrations/aws/persistence_redshift_instance_creation.toml
+++ b/rules/_deprecated/persistence_redshift_instance_creation.toml
@@ -1,8 +1,9 @@
 [metadata]
 creation_date = "2022/04/12"
 integration = ["aws"]
-maturity = "production"
-updated_date = "2025/11/25"
+maturity = "deprecated"
+updated_date = "2026/01/16"
+deprecation_date = "2026/01/16"
 
 [rule]
 author = ["Elastic"]