diff --git a/docs/deployment-with-docker.rst b/docs/deployment-with-docker.rst
index fb383c3c..25ff7cb9 100644
--- a/docs/deployment-with-docker.rst
+++ b/docs/deployment-with-docker.rst
@@ -42,6 +42,13 @@ You will probably also need to setup the Mail backend, for example by adding a `
 .. _sentry.io: https://sentry.io/welcome
 .. _Mailgun: https://mailgun.com
 
+Optional: Use AWS IAM Role for EC2 instance
+------------------------------------
+If you are deploying to AWS, you can use the IAM role to substitute AWS credentials, after which it's safe to remove the `AWS_ACCESS_KEY_ID` AND `AWS_SECRET_ACCESS_KEY` from the `.env`. To do it, create an `IAM role`_ and `attach`_ it to the existing EC2 instance or create a new EC2 instance with that role. The role should assume a minimum permission of `AmazonS3FullAccess`.
+
+.. _IAM role: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+.. _attach: https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/
+
 HTTPS is on by default
 ----------------------