Your AWS root credential set

Is it secret? Is it safe? Managing the one credential set to rule them all comes with a considerable amount of effort. Even worse, AWS provides APIs to effectively privilege escalate a normal AWS admin role/user to root. What paths can a hacker take to completely takeover your AWS account, or even organization, and what mechanisms can you implement to combat this?