Having root credentials is sufficient, and based on the fact that this guy said "apparently the s3 api lets you spin up ec2 instances" it looks like he didn't touch IAM.
Root credentials are deprecated, but can still be used and if this guy used them then yes, his billing alarms could have been disabled.
There's a difference between an admin iam user (can't do billing stuff) and the root credentials (just as powerful as username / password).
Root credentials are deprecated, but can still be used and if this guy used them then yes, his billing alarms could have been disabled.
There's a difference between an admin iam user (can't do billing stuff) and the root credentials (just as powerful as username / password).