Also this. I mean they can easily touch the databases.
I’m not a system architect but expect it really depends on the setup. If they are using Bring Your Own Key (which they should be...) then it’s all encrypted and AWS doesn’t have the key.
All AWS are subject to side channel attacks.