Certified Security - Specialty

Sign Up Free or Log In to participate!

@Ryan, found the error in “Set Up Alert If The Root User Logs In” lesson.

@Ryan. The problem you are having is because when creating the rule, you have the "whenever" set to >= 0. It should be >=1. That’s also in the screenshots in the blog but hard to see.



Alexander Feng


Alec Whitehouse

Worked for me when I made Don’s tweak. Thanks Don!

Jansen Sena


Justin Taylor

You’re the…… Don (+1)

Adam C

Why would >=1 make a difference? Any count is >=0 so should work the same as >=1, right?

3 Answers

Thanks for bringing this to our attention! I’ll add a note to the lecture until Ryan can get this re-recorded

Quite confused here as I have just completed this with it being >= 0 and it works perfectly fine.

the 1 – should not really make any difference anyway as it only says greater or equal to 1, however it would have required an event to trigger it.

I did however had to wait about 5 mins before logs would generate into s3, once that started I was able to get it.

FWIW, a newer implementation was published by AWS a couple years ago that aligns with modern blueprints for roll-your-own event-driven security monitoring, notification, and response actions. The new design works flawlessly for this and other security scenarios. Having said that, I’ll likely develop another function that improves readability of the alerts when email notifications are desired since the raw email format is difficult to read. Setup and testing time for the new design was < 10 minutes.


Hope this helps. Good luck on your exams.

Rubaiyat Kibria

Hi Gurus, if the case scenario is changed where alert needs to be sent when a certain IAM user makes an API call to an s3 bucket, what would be the solution? If this has already been answered in a separate thread, appreciate if you can direct me there. Thanks in advance.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?