Implement restrictions and least privilege for sensitive actions 

The AWS IAM role created in #1 must be used very carefully. It is a very powerful role that can provision any AWS service, so care must be taken to avoid security, privacy and cost issues. Start by manually triggering provision service. 