gnagent2
I stumbled upon an AWS Management Blog post from July 2017 that contains an alternative approach to detecting root user activity. It uses CloudWatch Events and a Lambda function. https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
This has the big advantage of being near-realtime instead of the 15 to 20 mins publishing delay to CloudWatch Logs.
The real question is what will be in the exam?