If somebody has access to the private key of the certificate he can use it for man in the middle attacks. Such attack can be used to redirect the user to another machine if the DNS lookup for the host given in the redirect results in the IP address of the other machine. This can be a different hostname in the same domain as in the original request and thus can be covered by the same wildcard certificate. But it can also be a different domain, for example a domain controlled by the attacker where he also has a certificate to do MITM where he controls the full server (no MITM needed).
Actually, I don't see the problem with a wildcard certificate in this case. It is enough that the attacker has access to any accepted certificate (wildcard or not) and its private key in order to sniff and modify the traffic. The attack is also not limited to redirecting to another system.
Can attacker redirect to: bad.s3.amazon.com/important.data (but actually corrupted data) with DNS/network rogue trick?
One way is to trick the user into using the wrong URL in the first place (social attacks). Then an attacker near the user (i.e. local network, ISP,...) might try do DNS spoofing, ARP spoofing or similar to let the user access the intended URL but on the wrong host. Only, in this case the HTTP host header of the request will show the intended domain and the HTTP based routing inside AWS will cause the request to either end up at the good bucket or to get rejected since the good bucket is not accessible using the specific IP address.