If Amazon has any secure cookies, they're not going to affect this particular attack. The traffic leg between the attacker and Amazon's servers can be encrypted, which means that she will receive the secure cookies. Because the leg between the victim and the attacker is not encrypted, the attacker simply rewrites the cookies to remove the "secure" flag. Thus, from the perspective of the victim the cookies are not secure.
To summarise, the attacker injects herself into the traffic stream, fully controlling the Amazon side of the communication, and forwards traffic to the victim rewriting as appropriate. The account compromise occurs when Amazon asks the victim for the password (as they do before each purchase) and the attacker captures the password (because it will have been sent to her, rather to Amazon).
I never said an attacker can't do this. I'm saying an attacker can't do a s/https/http and have a user end up at an HTTP login page, where the attacker can sniff credentials.
To summarise, the attacker injects herself into the traffic stream, fully controlling the Amazon side of the communication, and forwards traffic to the victim rewriting as appropriate. The account compromise occurs when Amazon asks the victim for the password (as they do before each purchase) and the attacker captures the password (because it will have been sent to her, rather to Amazon).