Deploy the Amazon Inspector agent on each EC2 instance, subscribe to Amazon EventBridge notifications, and use an AWS Lambda function to detect user login messages, then notify the security team via Amazon SNS.

Deploy the Amazon CloudWatch agent on each EC2 instance, configure it to send logs to Amazon CloudWatch Logs, set up a CloudWatch metric filter for user logins, and notify the security team via Amazon SNS if a login is detected.

Configure AWS CloudTrail with Amazon CloudWatch Logs, subscribe CloudWatch Logs to Amazon Kinesis, attach an AWS Lambda function to Kinesis to parse logs for user logins, and notify the security team via Amazon SNS if a login is found.

Set up a script on each Amazon EC2 instance to send logs to Amazon S3, configure an S3 event to trigger an AWS Lambda function, which runs an Amazon Athena query to check for logins, and notify the security team via Amazon SNS if a login is detected.