If you violate policy (of which there are likely many varied yet incontestable interpretations), AWS pulls the rug out from under you faster than one can say "neutral". That's excluding they do not make newer policies on-the-fly.
It has nothing to do with "neutrality", they have Terms of Service like every single service provider in the world. If you violate them, there goes your infra. Spreading malware is almost certainly a violation of AWS' ToS (Amazon engs, correct me if needed)
It's a little more complicated than that in Cloudflare's case. The debate isn't really relevant to AWS/CloudFront or anyone else, but Cloudflare has famously had a policy of not kicking off any customers as long as they abide by US law. The CEO publicly identifies as a free speech absolutist. (Malware/phishing/etc. is still removed, since it's illegal.)
The CEO publicly broke their policy on this on two occasions: the neo-Nazi website The Daily Stormer, and 8chan. In each case, only after a long saga played out.
For The Daily Stormer: after they mocked the deceased victim of the Charlottesville rally, Cloudflare received public pressure to boot them but refused, and then the owner subsequently tried to troll them/the public by claiming Cloudflare executives secretly supported their ideology, causing them to finally be removed. (https://blog.cloudflare.com/why-we-terminated-daily-stormer/
)
For 8chan: Cloudflare received a lot of heat for not removing them after the first and second incidents of posters becoming mass shooters, eventually removing them after the third mass shooting. (https://blog.cloudflare.com/terminating-service-for-8chan/)
I forget the term/aphorism for this (like "double-bind", sort of), but they put themselves in an awkward position because they're probably one of the most neutral service providers out there - still far more than probably anyone else to this day - but by marketing themselves as 100% neutral, being only 99.99999% neutral created lots of lasting negative PR that people still regularly bring up.
Any other company would've kicked those people off way sooner and there would've been little to no publicity, because they routinely do such things, but now Cloudflare is hated by both the pro-censorship and the anti-censorship crowd. (See: https://en.wikipedia.org/wiki/Cloudflare#Mass_Shootings and everything below. It's quite a rollercoaster.)
It's a gray area. They sometimes reverse proxy frontend portals for those services, but not the services themselves. Sometimes the frontend won't have anything obviously illegal.
Anything that's actively serving malware or phishing pages is removed.
