AWS recommends that you create an IAM user or role for authenticating with AWS and never use root credentials to deploy the CloudFormation template. The IAM user must be allowed to perform AWS CloudFormation actions. The EC2 instance must be granted the IAM role to provide permissions to S3 storage.
The following links provide more information about AWS best practices:
Amazon recommends that you enable AWS CloudTrail logs to enable governance, compliance, and operational and risk auditing of your AWS account. AWS CloudTrail enables you to:
View the event history of your AWS account activity, including AWS Management Console actions, AWS SDKs, CLI, and other AWS services.
Identify the initiator of actions, resources involved, and event timing.
This event history helps to simplify security analysis, resource change tracking, and troubleshooting.