diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md
index a062bce03..81f48a541 100644
--- a/website/source/docs/secrets/aws/index.html.md
+++ b/website/source/docs/secrets/aws/index.html.md
@@ -28,7 +28,7 @@ $ vault mount aws
 Successfully mounted 'aws' at 'aws'!
 ```
 
-Next, we must configure the root credentials that are used to manage IAM credentials:
+Next, we must configure the credentials that Vault uses to manage the IAM credentials generated by this secret backend:
 
 ```text
 $ vault write aws/config/root \
@@ -37,6 +37,10 @@ $ vault write aws/config/root \
     region=us-east-1
 ```
 
+*Note that `root` does not mean it needs to be your AWS account's root credentials, and it 
+probably should not be. It is also unnecessary in many cases as Vault will use normal AWS credential mechanisms (instance profile, env vars, etc.) when possible. If you need to use static credentails, create an IAM user with permissions to manage IAM and STS.
+See below for the specific actions required.*
+
 The following parameters are required:
 
 - `access_key` - the AWS access key that has permission to manage IAM
@@ -128,7 +132,8 @@ The [Quick Start](#quick-start) describes how to setup the `aws/creds` endpoint.
 
 ## Root Credentials for Dynamic IAM users
 
-The `aws/config/root` credentials need permission to manage dynamic IAM users.
+The `aws/config/root` credentials need permission to manage dynamic IAM users.  
+This does not mean it needs to be your AWS account's root credentials, and we would not suggest using them.
 Here is an example IAM policy that would grant these permissions:
 
 ```javascript