Account compromise incident response in AWS

In case of account compromise, the suggested actions to take are:

• Change the root password and delete root access keys if you haven’t done that before.
• Add MFA to the root account  if you haven’t done that before.
• Change all user account passwords ( I strongly doubt about this one but the documentation says so, for certification exam purposes consider this one true)
• Delete or  rotate potentially compromised account access keys.
• Delete unrecognized/unauthorized instances and IAM users through the help of AWS Config and CloudTrail.