Wise men enable security
No matter what sort of solution you decide to go with, you are throwing your trust behind a vendor, that could be the guys that make your tape drive, or the guys who are providing you with offsite hosting.
Amazon has a fairly decent track record, so I'm fairly happy to trust them with my data.
AWS has a rather decent level of security. If you want to have a web application interact with the AWS API you set it up with just enough IAM permissions to do the task it needs to do. You can bake these credentials into the app, or into a server, or even a set of credentials for each app per server.
You should never need to write your console credentials in any script or server location. Each console account can be fine tuned in privileges. I for example have granted my development team with access to view all my servers, ssh to them with the key attached to their account, but they can only use sudo and deploy to the development stacks.
The developers have read only access to the s3 object storage, but not access to delete, and don't have any access to the AMI's or ability to manage databases what so ever.
Me and my boss both have our own admin console credentials, protected via 2 factor auth, with the root credentials secured in the same manner.
This is all standard, and recommended behaviour for any AWS account. Anyone that isn't doing this is ignoring recommended practices, and if you would be stupid not to if you are hosting anything worth protecting.