I'am honest, similar things could happen on my laptop for my personal stuff.

I have some AWS keys in some files that are used by terraform/packer. A hacker could easily get them.

Some other AWS keys are stored in the CI system and provided as env variables. Someone that can merge/push to the specified branches can just change the CI script an exfiltrate them.

How can I fix that?

I would need some MFA for both cases. I would imagine it would be a good idea that I have to confirm each action on MFA device, which will then generate temporary tokens that are invalid after a few minutes. I locked into some solutions like Hashicorp Vault but I was not able to build something in a short time. New features were always more important.

How do you do it?

YubiKeys and aws-vault for managing my credentials. Hashicorp Vault and SSM for services.

You use aws-vault(https://github.com/99designs/aws-vault) and configure it with IAM and MFA with YubiKeys. You configure e.g. the profile jonsmith.

When you run

aws-vault exec jonsmith -- aws s3 ls

it will ask you, e.g. every hour to confirm with YubiKeys and cache the key for one hour. After that the temporary keys expire. Can you also store keys different from AWS?