While this is more an issue with compromise credentials and not a flaw in AWS exactly, I think AWS should just deprecate the use of IAM Access Keys altogether, and have newly issued keys auto expire after 90 days, requiring human intervention to extend the lifetime if absolutely necessary. Had these companies used IAM roles for their services, they would not be in this situation, but that approach requires more effort, so people go with the lazy access key solution.
And just to be clear, using IAM roles doesn’t require much effort either, even when you need to sync with an external auth provider such as AD (I know, ewww, but you have to live in the world as it is rather than the one you’d like it to be).
While this is more an issue with compromise credentials and not a flaw in AWS exactly, I think AWS should just deprecate the use of IAM Access Keys altogether, and have newly issued keys auto expire after 90 days, requiring human intervention to extend the lifetime if absolutely necessary. Had these companies used IAM roles for their services, they would not be in this situation, but that approach requires more effort, so people go with the lazy access key solution.
And just to be clear, using IAM roles doesn’t require much effort either, even when you need to sync with an external auth provider such as AD (I know, ewww, but you have to live in the world as it is rather than the one you’d like it to be).