Well, getting an SSL private key is difficult as they don't often get into memory and are quite long (difficult to get from 64k at a time). Whereas AWS credential keys are something that get into your servers RAM much more frequently and are shorter strings. So it could easily be remote memory exploitation. But more likely social engineering or some other easy path in.
Heartbleed only exposed SSL memory (like incoming or outcoming connections), but not other memory (particularly not program memory), containing AWS keys.
