Re: Amazon need to make it more difficult to use insecurely than securely
A couple of things. One, ensure it can only be done by a confusing user interface where anything wrong in the process leaves it secure. The other, which I've suggested above, is to ignore what the user sets and periodically just going back to default. Perhaps send out an email "We've noticed that you must have accidentally left your AWS system insecure so we've repaired that for you."
After a few cycles update the email to explain why it's really bad. Or maybe do that first and then switch to the "We've fixed it" non-explanatory version.