diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
new file mode 100644
index 000000000..447c69c93
--- /dev/null
+++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml
@@ -0,0 +1,151 @@
+[metadata]
+creation_date = "2024/12/02"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "ES|QL available in technical preview."
+min_stack_version = "8.13.0"
+updated_date = "2024/12/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary
+access to the root account, may add a login profile to the root user account to maintain access even if the original
+access key is rotated or disabled.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS IAM Login Profile Added for Root"
+note = """
+## Investigating AWS IAM Login Profile Added for Root
+
+This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment.
+
+### Possible Investigation Steps
+
+- **Identify the Source and Context of the Action**:
+    - Examine the `source.address` field to identify the IP address from which the request originated.
+        - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region.
+    - Look at the `user_agent.original` field to identify the tool or browser used for this action.
+        - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity.
+
+- **Confirm Root User and Request Details**:
+    - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions.
+    - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions.
+
+- **Analyze the Login Profile Creation**:
+    - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile.
+        - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`.
+    - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse.
+
+- **Correlate with Other Events**:
+    - Investigate for related IAM activities, such as:
+        - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account.
+        - Unusual data access, privilege escalation, or management console logins.
+    - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment.
+
+- **Evaluate Policy and Permissions**:
+    - Verify the current security policies for the root account:
+        - Ensure password policies enforce complexity and rotation requirements.
+        - Check if MFA is enforced on the root account.
+    - Assess the broader IAM configuration for deviations from least privilege principles.
+
+### False Positive Analysis
+
+- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios.
+
+- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes.
+
+### Response and Remediation
+
+- **Immediate Access Review**:
+    - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized.
+    - Rotate or disable the credentials associated with the root account to prevent further abuse.
+
+- **Enhance Monitoring and Alerts**:
+    - Enable real-time monitoring and alerting for IAM actions involving the root account.
+    - Increase the logging verbosity for root account activities.
+
+- **Review and Update Security Policies**:
+    - Enforce MFA for all administrative actions, including root account usage.
+    - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary.
+
+- **Conduct Post-Incident Analysis**:
+    - Investigate how the credentials for the root account were compromised or misused.
+    - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring.
+
+### Additional Resources
+
+- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html).
+"""
+risk_score = 73
+rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce"
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS IAM",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws.cloudtrail* metadata _id, _version, _index
+| where
+    // filter for CloudTrail logs from IAM
+    event.dataset == "aws.cloudtrail"
+    and event.provider == "iam.amazonaws.com"
+
+    // filter for successful CreateLoginProfile API call
+    and event.action == "CreateLoginProfile"
+    and event.outcome == "success"
+
+    // filter for Root member account
+    and aws.cloudtrail.user_identity.type == "Root"
+
+    // filter for an access key existing which sources from AssumeRoot
+    and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
+
+    // filter on the request parameters not including UserName which assumes self-assignment
+    and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*"
+| keep
+    @timestamp,
+    aws.cloudtrail.request_parameters,
+    aws.cloudtrail.response_elements,
+    aws.cloudtrail.user_identity.type,
+    aws.cloudtrail.user_identity.arn,
+    aws.cloudtrail.user_identity.access_key_id,
+    cloud.account.id,
+    event.action,
+    source.address
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+