The plugin updates did not fix the problem but I finally found the culprit. It was a brute force attach on wp_login.php. I have been tracking the disk usage since the last time it grew so fast and I just happened to check the disk at the same time an attack was happening. I was able to see the UPDATE queries in near real time by running this query:
SHOW FULL PROCESSLIST;
This allowed me to see queries hitting my wp_usermeta table and then I tracked the IP through my apache access_logs. I am now working to clean my database and remove all of the unnecessary data left behind by the attacks. My calculation shows there is about 175GB of unindexed data left behind by the attack.
WordPress.org recommends using WP-Sweep and WP-Optimize to analyze and clean my DB. I am currently testing these in stage.
In addition AWS hosting support recommends obscuring my wp-login and wp-admin pages using this technique:
Does Bitnami have any recommendations in securing this image against brute force attacks? I believe I followed the setup recommendations from your documentation, but maybe I overlooked something along the way.
I'll post results of the next steps I take so you and other users will have a record of this in case it helps someone else down the line.