I too have this IP in my account login history. As well as others since July from other places globally.
This appears it was not brute force attempts, as the log would show failed login attempts. They just logged right in, first try. Sounds like a web site vulnerability.
- cloudfront
- ses
- ebs
- rds (snapshots/backups on s3)
- lambda functions (appear to be stored in s3)
perhaps others