You should absolutely be using cross-account roles which, with role assumption, vends ephemeral credentials when you need them. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cr...
A compromise of your vault (and hopefully not remote code execution) means the attacker at least can't blast a billion emails out at someone elses expense.