Oh. Security issue.
I think the question you should ask here is what you say, for example, mySQL passwords in your php configuration files?
To be honest, I would say that if someone managed to get a copy of your files, then your security needs to be rethought anyway. For my own use, I usually save passwords in only one place (on the server where they should be used), and make sure that I use a randomly generated password each time (insert it into the configuration file and voila!)
To be honest, if this is not your own host, any sensitive data may be compromised.
If this is your own host, I would suggest using the correct permissions on Linux and PHPSuExec to make sure that only scripts that you can write can access the files.
In any case, to answer your original question, your AWS Access / Secret Keys is the same as the MySQL password. Well, he has the potential to allow someone to access your service, but he does not give them access to your personal Details. Even with symmetric encryption, if your script has a security hole, you can access this information.
Simply put, you run the risk when you put these keys in any place accessible to everyone except you. How much do you trust Amazon servers to not be at risk?
My suggestion was to try to add as much security as you can, but keep track of your account, I usually do a cron job to send me an email with changes to my S3 account (new uploaded files, new buckets and etc. etc.), and from this I can say what happens.
There is no simple solution; it is a combination of providing each separate layer of the system. I mean, if you use symmetric encryption, the password for this must be saved somewhere, right? or are you going to enter it every time?
Hope this helps