All Beanstalk applications and environments can be configured through EBEXTENSIONS files that are packaged up with your application deployment package (e.g. WAR file for Java apps) with YAML-based configuration to update or reconfigure any part of your application, container, OS etc. Beanstalk is PaaS since it is a platform that allows you to deploy applications without having to worry about the underlying IaaS. All PaaS providers at the end of the day obfuscate the underlying IaaS through some form of automation. However since this is computer science we are talking about there is no single optimal state for all applications and without the ability to tweak the IaaS under the PaaS, you are at the mercy of the PaaS service provider to assure you that your applications run smoothly, fast and securely.
Heroku runs on top of AWS using a different management layer that's all. However it becomes a pain in the ass when you have to do things like securing your application. TheyWhile they do make best efforts to manage their solution efficiently and maintain security etc. they can't and won't take on the risk and the consequences of your a vulnerability in your app being exploited and theyat the end of the day. They want to make their services as cookie-cutter as possible.
The ability to tweak the IaaS underlying the platform is a strength and appeal of Beanstalk IMO.