The ban is on reporting the exact locations (i.e. coordinates) of where missiles land, because it's information that is useful in helping the enemy to calibrate where missiles will land. Reporting on other details is perfectly acceptable.

AWS has a more powerful abstraction already, where you can condition permissions such that they are only granted when the request comes from a certain VPC or IP address (i.e. VPN exit). Malware thus exfiltrated real credentials, but they'll be worthless.