Why don’t all critical applications at the very least not have immutable backups to a different account. This is easy to do in AWS. Ideally, these apps would also have better security posture, but doing this alone would go a long way. On my product, backup lambdas only have write access to our other account for backups. We’re backing up dynamodb and s3 continuously.