This project is just one example of how an AWS IOT integration could work. What it does is it allows devices to automatically get credentials generated for AWS IOT via a lambda handler. This lambda handler will verify that the device belongs to your resin account, generate new credentials and stores them in the resin API for the device. The device is then able to read them as environment variables.
If your image is stolen (because the sd card is stolen for example) a potential attacker could generate multiple keys for this device.
The lambda handler only talks to the resin API and to AWS API. So you could also develop a different AWS provisioner, that creates credentials for AWS for a device and stores them in the resin API as env. variables for the specific device.