Good point. Thanks for the advice, we will study quickly how we can improve this.
Our goal is above all to make the usage of AWS easier, and as a result, more secure. We do not want to expose the CLI users to any new threat. We made the source code available to anyone (even the anonymous data collection), to be transparent and get feedback on our work to correct it when needed.
PBKDF2, bcrypt, and scrypt are all used where a database needs to store something and check for equality, but where the values in the database need to not be reversible even if the database is breached. They might be suitable here.
None of those can deal with the case of having too limited of an input range. Even if you use a million rounds, you've only added 2^20 to the workload.
