It always bothered me that the AWS CLI relies on plaintext credentials (in a well-known location too, at ~/.aws!). These days my AWS credentials are stored encrypted in pass, the only field in the credentials file is `credential_process` which asks for the values from pass, and that credentials file itself is an auto-generated temporary file (set in the appropriate `AWS_FOO` env var)