Saw someone on Reddit lose $86k from a compromised AWS account. I've heard way too many stories like this: misconfigured IAM, tokens in repos, no billing alerts...

If you're on a small team, how are you actually protecting yourself from stuff like this? Is there a sane setup that works without needing a full-time AWS security person?