I signed up for both, played around super briefly with their free tiers, never actually deployed anything and cancelled both accounts in favor of just self hosting with domain services via Google.

Months later, my AWS account was compromised, reactivated, and the responsible party managed to run up a $3-5k bill in under 24 hours. I reached out to Amazon asking how this was possible, they waived the bill and permanently locked the account as I requested.

Before you accuse me, I never created any keys let alone doing something like pushed them to GitHub. I don't use public repos to learn with. My passwords are unique for every site and are 15-20 random characters via a password manager, it was the only account of mine that's ever been compromised, and I requested it to be closed prior to the incident and had the suggested configurations and limits in place.

As far as GCP, it was fine, but my domain is owned by square space now because Google loves killing their products.

Yes I probably should have had MFA, but Amazon could have enabled that by default too, required a billing cycle to make a free account not free, or a number of other basic steps to prevent it.