[rcme]

This only applies if the stolen credentials can’t create roles and can’t modify existing roles.

[thinkmassive]

...and don't leave a payload behind, to maintain persistent access (unless I'm missing something?)

[Corrado]

This is a good reminder to always follow least-permission best practices.

[danw1979]

I’d add drift detection on everything IAM / SCP / Org to this list too.

A session token with only a few minutes validity can be enough for someone to make their access permanent.