Reality is that a string of letters and numbers in plain text is all that’s required to grant someone full root access to your AWS (and many other cloud) provider’s existence even if all your stuff is disconnected from the internet.
Lots of best practices to mitigate the risk of that and blast radius of a comprise, but it’s a nasty anti-pattern in cloud security that bites hard when things go wrong. As the article highlights attackers are well positioned to exploit this and can take over your assets in seconds after an oops.
If you aren’t using 2FA for your root account, then you are asking to be compromised.
I mofidied the title to fit HN format. Original title: Shattering the Rotation Illusion: Part 6 – The Attacker’s Perspective & Introducing AWSKeyLockdown
thanks