Considering the domain is amazonaws.com, it is only fair they keep it with themselves. They can't be in the business of providing arbitrary subdomains under their parent domain just to have it point to some other external IP.
I'm talking about custom domains. You can setup AWS to manage certs for mycompany.com (for example). When you do that they ought to give you a copy of the private key to *.mycompany.com. I am not talking about the amazonaws.com certs.