As a "cloud lead" equivalent I make sure I have as a little access as possible and all my (and everyone else's) actions are logged in an (as much as possible) immutable way. And if anyone managed to log into any AWS account with root credentials (MFA token stored in a safe) we get alerts in GuardDuty, Slack, and email within a couple of minutes.
AWS provides all the tools to do this and it does not take that much work to implement. There is zero excuse for a company to allow cowboy shit like this.
If you wanted to though, I’m sure you could figure out a way to get around this to exfiltrate data and simulate a “hack”. If Snowden could leak NSA data, what hope do you have of securing your company’s data from a nefarious person in a leadership position?
Is it possible, technically yes, but the level of paranoia and mistrust required to prevent this kind of thing is never going to be supported by leadership or other engineers trying to do their jobs.
Should you lock up your root key effectively like you describe? Absolutely. Should you do other things to restrict access to sensitive data? Absolutely. But whatever you do, you’re not going to be able to avoid a sophisticated internal attacker without making normal work extremely difficult.
As a conman scumbag cloud wouldn't you make sure at have a much access as possible and have none of the actions (and maybe nobody else for extra confusion) logged in (if forced too in a super ephemeral). Root credentials would be stored only in yellow sticky notes.
AWS provides all the tools to do this and it does not take that much work to implement. There is zero excuse for a company to allow cowboy shit like this.