Note that as far as I could tell, this is a tool to check which unexpected AWS modifications can be done from API keys that you do make public in the first place. It doesn't "hack" an account per se.
So for example if you've created some IAM API keys and embedded in an app for example, and you (incorrectly) believe the permissions only grant the app to fetch some static media files from an S3 bucket, the tool can discover incorrect configurations that would allow someone who extracted the key to change permissions of the bucket.
Yes, you'd have to leverage compromised credentials. That could be obtained via SSRF, RCE on a privileged box, leakage of user access keys, or other means. In the context of a penetration test, it's more of a post-exploitation tool.
> First, authenticate to AWS CLI using credentials to the victim's account.
... right. This is just a glorified "what can this IAM user do" tool. There is literally no actual pentesting done. Not much different than having the key to your neighbor's front door and seeing how many things inside their house are unlocked for you.
So for example if you've created some IAM API keys and embedded in an app for example, and you (incorrectly) believe the permissions only grant the app to fetch some static media files from an S3 bucket, the tool can discover incorrect configurations that would allow someone who extracted the key to change permissions of the bucket.