Hi there I have improved the security of my terraform cloud workspaces and my AWS account by switching from AWS credentials (client_id and client_secret_id) to Dynamic Credentials maybe it will help you to improve the security in your projects : https://medium.com/@vivazmo/terraform-cloud-dynamic-credentials-for-aws-e492efaf529d

If not using Terraform Cloud but maybe using A CI like GitHub Actions you can use OIDC also with GitHub

Yes It is the best aproach. Use of Key has to be the last option. But there are a lot of projects using harcoded credencials.