"...The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed..."
Right. And if AWS pulled its thumb out and implemented the SSRF protection (in five years, for goodness' sake!), the perpetrator would not make this step and all "subsequent" after it. The lady is accused of 30 more data thefts - all from AWS buckets. Their owners also misconfigured their firewalls, I presume.