[deathanatos]

If someone acquires root in the AWS account, they likely then have access to the backups, too. Unless we're also assuming whatever is doing the backup runs in an alternate cloud and our attacker or insider somehow has access to only 1 of 2 clouds.

Possible, perhaps, but contrived.

[coredog64]

There's account root and then there's org root. Accounts are security boundaries, meaning you'd want your backups to at least be in another account within the org.

[tuckerman]

I think using a separate cloud with credentials stored in a safe (or the equivalent) isn’t that uncommon (worked places where we were nearly 100% AWS but had GCP for storing backups). You’d need to compromise/socially engineer a different set of people to get access to that.