So, it's been a couple of weeks in real-time and about ten hours in "code"-time since I last posted on EC2 & JAX-WS, since which I've discovered two extra things. The second is in the next blog post.
Firstly, Amazon SQS requires that you make SOAP 1.1 calls to a unique URl per queue. This means that to use a given queue, a specific port has to be configured with the new location in JAX-WS. This took a little digging, but it is clearly mentioned in the CXF documentation. The relevant code is this:
String queueURL = "http://sqs.amazonaws.com/blablabla";
MessageQueue q = new MessageQueue(); //can re-use this apparently
MessageQueuePortType p = q.getMessageQueueHttpsPort(); //this is for a specific queue
//initialise the port to use WS-Security as documented below
BindingProvider provider = (BindingProvider)p;
...and that's it.