Not using root credentials is important, so add a few bits about the
privileges the IAM user should have. Also document that the password
for cloud machines will not be the default 'vagrant' password.

tutorials/Build-Qt-Using-AWS.md

@@ -30,9 +30,14 @@ or perhaps
 C:\> msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi
 ```
 
-With the credentials for your AWS account at hand (you'll need the Access Key
-ID and the Secret, which you can generate and get from the AWS web console),
-run
+Now you need the credentials for your AWS account. You'll need the Access Key
+ID and the Secret, which you can generate and get from the AWS web console. As per
+AWS best practices, you should never use root account credentials to do actual work
+in an AWS account - it is both unsafe, and those credentials are also very short-lived
+and might expire during a minicoin operation.
+
+Instead, create an IAM user with the appropriate policy attached. `AMazonEC2FullAccess`
+is needed, `AmazonS3FullAccess` and `CloudWatchFullAccess` are useful for some functionality.
 
 ```
 $ aws configure
@@ -116,7 +121,11 @@ network through a list of ports (SSH, WinRM, VNC, RDP).
 
 Together with key-based authentication to the machine itself, this makes the
 machine sufficiently secure for our purposes (but don't use such a machine to
-run critical production workloads or to store confidential information).
+run critical production workloads or to store confidential information). You
+might in addition want to set a `AWS_VM_ADMIN_PASSWORD` environment variable
+with the password for the `vagrant` user on the machine. Note that the password
+needs to comply with the AWS password policy for instances. The default password
+will be the `$minicoin_key` environment variable.
 
 With everything working, we can now run a build on this machine just like
 with any local VM: