Re: What about pre-payment?
Yup hadn't purged them fully (though he's now revoked) - https://github.com/andhof-mt/shriek/commit/799a62ed075954eac673322b9f69963ad815c4d0
Looking at his post, I'm not sure they were just S3 keys, though it's hard to say for sure. Certainly can't find any reference (based on a _very_ quick google) to being able to fire up EC2 instances through the S3 API - though if it is true, that's some spectacularly bad design by Amazon.
But yes, either way, they definitely had too many privileges. Mind you, if you look at the average S3 tutorial online, the various authors all seem to think that creating limited privileges in IAM is too complex and skip over it.