How should the security team achieve this goal?
Use AWS Lambda to periodically query AWS CloudTrail for console login events and send alerts using Amazon Simple Notification Service (Amazon SNS).
Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).
Use Amazon Athena to query AWS SSO logs and send alerts using Amazon Simple Notification Service (Amazon SNS) for root login events.
Configure AWS Resource Access Manager to review the access logs and send alerts using Amazon Simple Notification Service (Amazon SNS).
Explanations:
While AWS Lambda can be used to query CloudTrail, this approach would rely on periodic checks, which could delay alerts after a root login occurs. The security team requires immediate notification, which is not guaranteed with this method.
Amazon EventBridge (formerly CloudWatch Events) can monitor AWS CloudTrail for root login events in real time. It can immediately trigger an action, such as sending an alert through Amazon SNS, providing timely notifications to the security team when root credentials are used.
Amazon Athena is not designed for real-time alerting but rather for querying data. Although it could be used to analyze SSO logs, it would not provide immediate alerts for root login events, which the security team requires.
AWS Resource Access Manager is not intended for monitoring login events or sending alerts. It is used for sharing resources across AWS accounts, and therefore it cannot directly notify the security team about root credential usage.
I rank that the answer is:
Use Amazon EventBridge (Amazon CloudWatch Events) to monitor console logins and direct them to Amazon Simple Notification Service (Amazon SNS).