Set up the cloudtrail integration.
Detect when the S3 Public Access Block configuration has been removed
This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:
More details on S3 Public Block Public Access can be found here.
On this Page