I don’t really have good answers to any of those questions off hand, however, this article doesn’t assume an pwned instance. It assumes a pwned API key / or AWS session. In that scenario, it doesn’t much matter what protection a given system has because AWS will give you the tools to get at the data, assuming the key you have is root-like.