Given that they wrote a tool dedicated to pentesting AWS, I'm sure the author is very familiar with that.

Also the pentesting policy explicitly states that customers can pentest without approval.

Not sure what the shock is with seeing security tools like this released, the vast majority of security tools are open source, how is this different to what we have been seeing the past 30 year?

Not to mention companies such as Google, Netflix and Mozilla all release security tools just like this.

This isn't exploiting a vulnerability. This requires authentication and uses AWS features. Why would they need to alert AWS?