One consideration you might like to document is that when using cloud native services to deploy your infrastructure you have an additional security benefit in that the role which has permissions to amend your production infrastructure is only assumable by a cloud service (code build etc) and not assumable by any 'human' role.
Equally applying roles with different permissions to different stages in the deployment pipeline helps to ensure that, for example a deployment meant for a development account cannot actually be performed against a production account.
One consideration you might like to document is that when using cloud native services to deploy your infrastructure you have an additional security benefit in that the role which has permissions to amend your production infrastructure is only assumable by a cloud service (code build etc) and not assumable by any 'human' role.
Equally applying roles with different permissions to different stages in the deployment pipeline helps to ensure that, for example a deployment meant for a development account cannot actually be performed against a production account.