diff --git a/README.md b/README.md
index 3b15002..66385a1 100644
--- a/README.md
+++ b/README.md
@@ -31,9 +31,54 @@ jobs:
         uses: aws-actions/amazon-ecr-login@v1
 
       - name: Build and redeploy
-        uses: jaroldwong/ecr-push-and-ecs-deploy@v1
+        uses: enode-engineering/ecr-push-and-ecs-deploy@master
         with:
           ecr-registry: ${{ steps.login-ecr.outputs.registry }}
           ecr-repository: 'Repository name'
+          ecs-cluster: 'ECS cluster name'
           ecs-service: 'Service name'
 ```
+
+
+## Credentials and Region
+
+We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for the AWS credentials used in GitHub Actions workflows, including:
+* Do not store credentials in your repository's code.  You may use [GitHub Actions secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) to store credentials and redact credentials from GitHub Actions workflow logs.
+* [Create an individual IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
+* [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) to the credentials used in GitHub Actions workflows.  Grant only the permissions required to perform the actions in your GitHub Actions workflows.  See the Permissions section below for the permissions required by this action.
+* [Rotate the credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials) used in GitHub Actions workflows regularly.
+* [Monitor the activity](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log) of the credentials used in GitHub Actions workflows.
+
+## Permissions
+
+This action requires the following minimum set of permissions:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "GetAuthorizationToken",
+            "Effect": "Allow",
+            "Action": "ecr:GetAuthorizationToken",
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowPushAndRedeploy",
+            "Effect": "Allow",
+            "Action": [
+                "ecs:UpdateService",
+                "ecr:CompleteLayerUpload",
+                "ecr:UploadLayerPart",
+                "ecr:InitiateLayerUpload",
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:PutImage"
+            ],
+            "Resource": [
+                "arn:aws:ecr:<REGION>:<ID>:repository/<REPOSITORY_NAME>",
+                "arn:aws:ecs:<REGION>:<ID>:service/<CLUSTER_NAME>/<SERVICE_NAME>",
+            ]
+        }
+    ]
+}
+```
diff --git a/action.yml b/action.yml
index cb4f7a1..996830a 100644
--- a/action.yml
+++ b/action.yml
@@ -14,6 +14,9 @@ inputs:
     description: 'ECR image tag. Defaults to latest'
     required: true
     default: 'latest'
+  ecs-cluster:
+    description: 'The name of the ECS cluster'
+    required: true
   ecs-service:
     description: 'ECS service name'
     required: true
@@ -29,5 +32,5 @@ runs:
       shell: bash
     - name : Force new AWS ECS deployment
       run: |
-        aws ecs update-service --cluster default --service ${{ inputs.ecs-service }} --force-new-deployment
+        aws ecs update-service --cluster ${{ inputs.ecs-cluster }} --service ${{ inputs.ecs-service }} --force-new-deployment
       shell: bash