I have to give AWS credit for updating their systems so quickly. Despite a bit of public anger over their lack of transparency (1) they managed to update thousands, if not tens of thousands of OpenSSL installations in their datacenter. Truly impressive devops at scale.

(1) https://forums.aws.amazon.com/thread.jspa?threadID=149690

I wonder if AWS got an early heads-up from OpenSSL as at least one other major infrastructure provider (Akamai) did: https://blogs.akamai.com/2014/04/heartbleed-faq-akamai-syste...

Were AWS API services affected? Is it possible that someone may have stolen private credentials and is now able to hijack customers accounts?

Most API requests are signed (using HMAC) with the API secret key, and do not actually include it, so no, probably. But certainly many other things could have been read if they were vulnerable.

Possible the AWS Web console could be affected.