It says they use publicly exposed or leaked IAM keys with RW permission to do this, in case anybody is interested in how they get in.

While this is more an issue with compromise credentials and not a flaw in AWS exactly, I think AWS should just deprecate the use of IAM Access Keys altogether, and have newly issued keys auto expire after 90 days, requiring human intervention to extend the lifetime if absolutely necessary. Had these companies used IAM roles for their services, they would not be in this situation, but that approach requires more effort, so people go with the lazy access key solution.

Let me guess next step is making sure aws has a backdoor. For security purposes obviously.