This detection rule focuses on monitoring changes to AWS IAM user login profiles, specifically when a login profile is created or modified. The rule can help identify potentially unauthorized actions taken by a user with sufficient IAM permissions such as `iam:UpdateLoginProfile`, particularly when they change the login credentials for another user. This type of activity could indicate a security risk, especially if an adversary impersonates an account holder to modify another's password without authorization. Legitimate administrators executing this action are also considered, and hence, the activity has a low severity classification due to its potential for legitimate use cases. It analyzes AWS CloudTrail logs for specific events related to updates in login profiles, enabling organizations to ensure proper oversight of sensitive account credential changes. The rule is accompanied by related MITRE ATT&CK techniques for further correlation and context in threat hunting efforts, outlining potential adversarial strategies against user accounts.