Don’t use IAM users.

Taking advantage of IAM roles instead of users is one of the most reliable ways to limit the damage from credential compromise. Why’s that? Roles can’t have static credentials!

Get your users accustomed to good AWS credential hygiene. If everyone knows that their credentials will only last a little while, you’re a lot less likely to end up with access keys in a git repo. And in the case they do end up being leaked, they’ll only be useful for a short amount of time.