Seems like the AWS Glue exploit [1] discovered by the same team is the more critical one of these two. The CTO of Orca confirmed that they were able to access an admin role in an AWS service account, and from there assume roles in customer accounts with service roles that trust the glue service [2].
Objects encrypted with S3-managed encryption keys (SSE-S3) are affected, as these keys are set up with a non-configurable resource policy granting the S3 service decryption permissions.
1: https://orca.security/resources/blog/aws-glue-vulnerability/ 2: https://twitter.com/yoavalon/status/1481691075672694793