Tales from the cloud trenches: The Attacker doth persist too much, methinks

This report details a cloud security incident in which a leaked long-lived AWS access key tied to an AWS Organizations management account was exploited over ~150 minutes: attackers used multiple IPs to create Lambda functions (including an API-triggered "persistence-as-a-service" that can spawn IAM users), created privileged IAM users/roles and an Identity Center user/group while disabling organization-level service integrations, and performed console logins (notably from a Telegram-associated IP). The post includes IoCs (IP addresses, created IAM usernames/roles/groups, Lambda names and SHA256 hashes) and practical detection recommendations for identifying similar intrusions.