Detects creation or modification of an AWS IAM login profile for an IAM user by monitoring CloudTrail events that use CreateLoginProfile or UpdateLoginProfile. A login profile allows password-based console sign-in, so an attacker with stolen programmatic credentials could establish persistence (via CreateLoginProfile) or reset another user’s password to hijack an account (via UpdateLoginProfile). Because many environments provision console access through federation or IAM Identity Center, unexpected use of these APIs by an unusual principal is a meaningful signal. The rule targets non-root IAM users (the userName parameter) and excludes root-related activity. It filters out legitimate onboarding, password resets, or break-glass activity by excluding known automation or service principals (e.g., Terraform, Pulumi, Ansible) and common automation sources. It emphasizes successful outcomes, actor identity, and target user context to assess legitimacy. The query correlates with related IAM activity (e.g., CreateAccessKey, PutUserPolicy, AttachUserPolicy, virtual MFA, ConsoleLogin) to identify persistence or takeover. It maps to MITRE ATT&CK: T1098 Account Manipulation, with subtechnique T1098.001 Additional Cloud Credentials. Triaging steps include validating actor identity (aws.cloudtrail.user_identity.arn/type/session_issuer), the target user’s normal console access and privileges, and the presence of passwordResetRequired in request_parameters. Remediation emphasizes revoking console access for the affected user, resetting the password, rotating credentials for the acting principal, auditing IAM permission changes, and restricting CreateLoginProfile/UpdateLoginProfile to a small set of trusted admins. Prefer federation or IAM Identity Center for console access to reduce reliance on static login profiles.