Question, about the GitHub Actions setup. There's this:

aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

What are these keys used for? Is there a description of how to created these so they are limited to the minimum required?

It’s only necessary if you plan to use a private ECR registry to host your images. A minimally scoped IAM user would need the ability to get the authorization token for the registry, push images, and pull images. https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html