Install the Amazon CloudWatch agent on the EC2 instances to stream system logs into CloudWatch Logs and create a metric filter with an alarm that sends an Amazon SNS notification when login messages are detected is correct because it provides a managed and continuous way to collect in guest OS logs and trigger near real time alerts with minimal operational overhead.

The CloudWatch agent streams system and authentication logs directly into CloudWatch Logs and a metric filter can match login messages to generate a custom metric. An alarm on that metric can publish to Amazon SNS within minutes, so this approach meets the ten minute alert requirement while keeping the solution simple to operate.

Configure an AWS CloudTrail trail to deliver events to Amazon CloudWatch Logs, invoke an AWS Lambda function to look for login activity, and publish alerts via Amazon SNS is incorrect because CloudTrail records AWS control plane API calls and not OS level in guest logins such as SSH or local console sign ins that occur inside the instance.

Install the AWS Systems Manager agent and depend on Amazon EventBridge to emit an event when a user logs in, then trigger AWS Lambda to send an Amazon SNS message is incorrect because Systems Manager and EventBridge do not natively emit events for operating system login activity without first collecting and parsing the instance logs, which adds complexity.

Use AWS Systems Manager to run a recurring script on each EC2 instance that uploads system logs to Amazon S3, trigger an S3 event to an AWS Lambda function that parses for login entries, and notify the team with Amazon SNS is incorrect because this solution introduces more moving parts, higher latency, and more maintenance than streaming logs to CloudWatch Logs with a metric filter and alarm.

Full AWS Practitioner Certification Question