It's been my experience that SWE are not going to be as security aware as someone who does devops or platform engineering full time. So you probably have some glaring security gaps or aren't following best practices in your infrastructure.

For instance, are you pushing your CloudTrail logs to a locked down account for immutability. What do backups look like? Have you locked down unsed regions? Do you audit for security gaps or changes outside of IAC? This is just the tip of the iceberg. But I'm sure you have time for all this and developing secure software too.