It is going to be the case that keys are going to be posted. The question is, why does AWS allow the default to be that someone who compromises an account is able to start 20 monster E3 instances in all 8 regions?
This happened to me (no, my keys have never been public and AWS staff were unable to find any) and AWS did remove the credit. However it took a lot of correspondence to have them set the number of available instances in all regions of my account except 1 to zero and in the region I use, set it to 6 instances (3 running, 3 spare).
In my correspondence I likened AWS to a credit provider who is delinquent in their responsibilities by letting creditors run up massive bills without even trying to limit the scope of their credit.
I recommend to any other AWS users that in addition to following the advice to cycle keys regularly they also contact AWS support and ask them to prevent instances from running especially in regions they are unlikely to use.