The rule "AWS IAM Login Profile Added for Root" is designed to detect unauthorized modifications to AWS root user accounts, specifically the addition of login profiles. Malicious actors might exploit temporary access to the root account to create a login profile, thereby ensuring they can log in even if the original access keys are compromised. This rule uses CloudTrail logs to identify when the `CreateLoginProfile` API call is successfully executed for the root user. It examines various attributes such as the user identity type, access key details, and request parameters to determine whether the action indicates potential compromise or malicious intent. The Triage and analysis section offers detailed investigation steps, including correlating timestamps, user identity, source addresses, and other related IAM activities. It also provides recommendations for managing false positives and detailed remediation steps in case unauthorized access is detected.