I don’t understand networking well. But it seems there are some limited options to protect your network from BGP hijacking.
Though, after casting about, I found that Amazon is marked as “safe” by
isbgpsafeyet.com which I interpret to mean that they met the requirements but failed in practice.
An alternative approach to ROA creation would be to do what other networks such as Cloudflare and Comcast have done: set the origin and maximum prefix length to be identical to how the prefix is routed. While this approach incurs an overhead cost of needing to update a ROA every time a route is modified, it also leaves little room for alternate versions of the route to come into circulation.