@Ryan. The problem you are having is because when creating the rule, you have the "whenever" set to >= 0. It should be >=1. That’s also in the screenshots in the blog but hard to see.
Thanks for bringing this to our attention! I’ll add a note to the lecture until Ryan can get this re-recorded
Quite confused here as I have just completed this with it being >= 0 and it works perfectly fine.
the 1 – should not really make any difference anyway as it only says greater or equal to 1, however it would have required an event to trigger it.
I did however had to wait about 5 mins before logs would generate into s3, once that started I was able to get it.
FWIW, a newer implementation was published by AWS a couple years ago that aligns with modern blueprints for roll-your-own event-driven security monitoring, notification, and response actions. The new design works flawlessly for this and other security scenarios. Having said that, I’ll likely develop another function that improves readability of the alerts when email notifications are desired since the raw email format is difficult to read. Setup and testing time for the new design was < 10 minutes.
Hope this helps. Good luck on your exams.