The keypair AWS generates can only be downloaded once, at the time of instance creation. Beyond that, they expect you to be in possession of the keypair when launching another instance that uses the same keypair. If you happen to lose the file, you're basically out of luck.
So to directly address your concern, you can't download the keypair at any point in time, it's just a one time thing. To me that seems much more secure than emailing out a root password and enabling password authentication by default.
I much prefer DigitalOcean's option of no root password and letting me upload my public key. There's no need for them ever to know my password or private key.
So to directly address your concern, you can't download the keypair at any point in time, it's just a one time thing. To me that seems much more secure than emailing out a root password and enabling password authentication by default.