Which combination of steps will meet these requirements?

Explanations:

AWS Config is used for resource compliance and auditing rather than direct monitoring of root user activity. It does not provide alerts for login events directly and is not primarily designed for generating dashboards for log activity.

Amazon QuickSight is a business analytics service that allows users to create visualizations, but it cannot directly query CloudWatch Logs without first ingesting that data into a suitable format. It does not address the alerting requirement for root user logins.

Creating a CloudWatch Logs metric filter to match root user login events allows for the detection of these specific events. Configuring a CloudWatch alarm linked to an SNS topic enables alerts to be sent to the monitoring system when a root user logs in, meeting the requirement for both alerts and monitoring.

An Amazon CloudWatch Logs subscription filter forwards logs in real-time but does not inherently create alerts. While it could potentially send alerts through SNS, it does not directly tie into the alerting mechanism for root user logins like a metric filter would.

Creating an AWS CloudTrail organization trail captures all API activity across accounts in the organization, including root user logins. Sending these events to CloudWatch Logs allows for monitoring and log analysis, fulfilling the requirements for log activity tracking.

An Amazon CloudWatch dashboard can utilize CloudWatch Logs Insights queries to visualize log data. This allows for creating dashboards that display log activity generated by root users, thus meeting the dashboard requirement.