In terms of priority, I've discussed this with others (including an EC2 expert). The EC2_ACCESS_KEY is effectively a username and the EC2_SECRET_KEY is effectively a password. The EC2_ACCESS_KEY is not generally discoverable and hard to enumerate without brute forcing and is not typically shared, so most people should be ok. That said, if someone set their EC2_URL to http or used a toolkit that used https but did not perform certificate verification (an unfortunately common practice), then the EC2_ACCESS_KEY could be revealed and the EC2_SECRET_KEY acquired. As such, leaving this as 'High'.
In terms of priority, I've discussed this with others (including an EC2 expert). The EC2_ACCESS_KEY is effectively a username and the EC2_SECRET_KEY is effectively a password. The EC2_ACCESS_KEY is not generally discoverable and hard to enumerate without brute forcing and is not typically shared, so most people should be ok. That said, if someone set their EC2_URL to http or used a toolkit that used https but did not perform certificate verification (an unfortunately common practice), then the EC2_ACCESS_KEY could be revealed and the EC2_SECRET_KEY acquired. As such, leaving this as 'High'.