This special creation role has always puzzled me a bit. Why does there need to be a special role with unrevokeable root privileges? I understand that it's useful, but why can't I at some point revoke its privileges when I'm done bootstrapping the cluster? If I do that in such a way that I need AWS support to help me get into a cluster I've locked myself out of, so be it.