Ensure that the IAM policies attached to this role allow access only to decoy resources and no other data or resources. Ensure that the IAM role’s trust policy only trusts principals in the same account to assume the role.
Read full article on AWS Security Blog