Ironically they could have used those AWS keys to use one of the many AWS services that's more secure.

For example S3 (ideally with KMS), Parameter Store (ideally with KMS), EBS, EFS, AWS Secrets Manager, even just KMS to directly encrypt the files

Really any AWS service that supports KMS and doesn't require giving the service principal access to the key