We use cloudtrail to log AWS user login and the cloudtrail logs been configured in ELK and indexed. I'm writing a watcher script to query and fetch user information for the following condition:
When multiple login found for the same user (logged in from more than one IP address at same time in this case), watcher will trigger email notification. Query should return the user name and the list of IP's from which the user logged in.