A. Use AWS Config to review the IAM policy assigned to users before and after the incident.
B. Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
C. Copy AWS CloudFormation templates to S3, and audit for changes from the template.
D. Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.