I like everyone else have been running around trying to figure out the details Erratic's Capitol One hack. Like (probably) everyone else I was slightly off. Fortunately, other people figured out what the deal is and have written about it! It's not exactly credential reuse (though that happens too), specifically what happened is you can associate IAM roles with VMs that have specific abilities, so that you don't need to keep files with IAM keys sitting around. Unfortunately these roles work via temporary credentials that can be accessed via the standard meta-data api. Who knew AWS kept useful information in that! Erratic found an SSRF (way of making the web app make http connections) that let her automatically pull down the temporary S3 credentials.
Discussion of the hack with actual details: https://ejj.io/blog/capital-one
The exact url to get temporary S3 credentials: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials