This talk discusses detecting compromised AWS credentials that are being used outside of an organization's environment. It describes challenges with detecting this using AWS CloudTrail event history and APIs due to limitations like pagination and rate limiting. The talk presents an approach that makes an assumption about how AWS works to overcome these challenges and enable full coverage detection within around 6 hours. It also covers preventing credential compromise by enforcing API access and protecting metadata.