[isbvhodnvemrwvn]

Monitoring API calls is typically reactive on AWS - e.g. GuardDuty relies on logs from CloudTrail, which are incomplete (e.g. sending a message to SQS is not logged at all) and log delivery is delayed as well. Nevertheless it should detect the specific issue described here fairly quickly, certainly in less than 2 months.

Overall the best defense is defense in depth - use MFA for all human accounts, use IAM roles wherever possible, don't put stuff in public subnets, use restrictive firewall rules, follow least privilege principle, use secrets manager or similar services for storing credentials. You could write a book about it. Many people pretty much have.