Re: What about pre-payment?
Aside from the obvious issue of storing credentials securely
And, as appears to be relevant here - actually bothering to set up non-privileged keys. If they were spinning up EC2 instances (and the dev seems surprised by it) then either he was using a key with permission to do so (i.e. it's been configured in IAM) or more likely was using his root keys, granting the attacker unlimited access.
Wonder whether he remembered to purge the keys from his commit history, a 5 minute window is pretty short...