Yeah, currently the keys are held securely within AWS and it's only available for use within specific AWS services - Elastic Load Balancer & CloudFront at the moment.
I mean, since they're offering for free what many others charge ~$100 USD for, I'm not surprised.
That said, SSL certs and domain renewals are the least interesting but high importance items of running an online business. As I'm already heavily deployed on AWS, I have no problem having them handle all of this for me, for what is free to me. (yes yes, not technically free)
You only care about pinning when you fear that a third actor somewhere between your server and the end client might MitM the connection with a valid certificate.
If a third party controls your keys, certificate pinning is useless to prevent against attacks from that third party or governmental agencies.
Most HPKP deployments pin to root or intermediate certificates of CAs (usually 2 separate CA entities, in case something happens to the primary CA) - meaning in a typical scenario, the attack surface is approximately the same.
Not sure if this approach is common in native applications that pin to keys as well.
Obviously. That doesn't mean pinning is impossible or useless against other threats though, so I don't think the argument makes sense in that general way. I bet there are tons of apps running/with backends running on AWS that should have certificate pinning.
http://aws.amazon.com/certificate-manager/pricing/
https://docs.aws.amazon.com/acm/latest/userguide/acm-certifi...