It's still crap though. If they spin up an instance billing $1k a day you'll find out after they've already billed several hundred, if not at least $1k. There needs to be a way to set actually limits, not alerts. You should be able to say "I'm not using this service, the limit should be $0."
Of course, if OP didn't have MFA / let their keys leak this may not have helped anyway if the hacker was able to just remove the limits.
> You should be able to say "I'm not using this service, the limit should be $0."
In your organization, add a service control policy which denies access to services you don't use. This will prevent all member accounts from executing actions you don't want, including root users. You can also deny any action on any resource in region other than whatever you expect to use (with some exceptions due to legacy stuff).
If they had actual limits, you'd have people complaining about their sites getting shut down because someone broke into their account and spun up a bunch of instances. Or a developer did it accidentally. Alerts are much safer.