Also this. I mean they can easily touch the databases.
I’m not a system architect but expect it really depends on the setup. If they are using Bring Your Own Key (which they should be...) then it’s all encrypted and AWS doesn’t have the key.
Over 70% of successful attacks are coming from "inside". So by probability, they hired the wrong guy, regardless of the details.