Are Elastic Beanstalk's environment variables an appropriate place to store secret values?
The point of keeping secrets out of source code is so they don't go into source control. This is particularly useful in open source projects.
When deployed, it doesn't matter if the secret's in a file or envvar. What's important is that only the OS user that your program is running as can read it. This is the default for envvars, which is convenient.
Root can always read everything. So Amazon can know your secret values if they want, because they are root (though they have policies against reading your stuff).
They do support pricey hardware security modules (HSM) though, which would make your keys unreadable. Of course, they could still use the HSM to decrypt your stuff, just never get the actual key.
There's also Key Management Service from AWS, which is like a software HSM
So either you need to trust Amazon, or host stuff yourself, or colocate.