What you're talking about requires deep packet inspection. I don't see why AWS would do that on a platform that has the potencial to generate an enormous amount of HTTP traffic.

The costs of operating something like this would have to be passed on to the client making them less competitive. No way AWS would do this.

Good point - I've not been involved in this kind of deep packet inspection required to do this – in my mind, all it would require is a filter on "wp-admin.php" and the resulting status code.

Automated? Not sure they can tell nefarious from normal traffic.

I would expect they would block the offender very quickly if notified though.