Propose to include AWS role to ensure credentials are not exposed for running the scans

An AWS role can be passed as a command line parameter (for STS assume role) to scan an account without creating/exposing access keys. It should not be a major code change and I can contribute if you are okay with it. 