Yeah, I'm not sure how anyone could consider this a "Critical Vulnerability". It's kind of cool and slightly frightening that Amazon scans for API keys. I'd love to know how they're going about the scan though; maybe using excess capacity to do a crawl and analyzing the results? Maybe through Alexa?