TL;DR: Add MFA to AWS root user. If you don't have MFA with root AND your email server of root email is hosted in same AWS account, it gets tricky to recover.
Sidenote, I was shocked to see "There was an AWS keypair saved in the CI secrets that hadn't been used since 2022."
Yes, you're right. Reading my statement in hindsight shows thats not correct. My intention was to convey that you can check for the existence of common IAM users and roles in the accounts (and even existence of company specific entities like users with first.last pattern, product names, etc)
I've slightly updated the point a bit.
Ahhh. AWS Control tower has not cost but it requires AWS Config to be enabled. Config is yet another AWS service that can get costly over time (if continuous monitoring of changes is enabled)
Nope, but did realise we had some open buckets we didn't realise were open. Thankfully we didn't store sensitive information in there despite having 2PB of files in there.
Sidenote, I was shocked to see "There was an AWS keypair saved in the CI secrets that hadn't been used since 2022."