Somebody came with the idea of creating an API key to connect with an AWS account to get AWS datacenter objects and filter traffic going out from on-premises network, and using Internet to connect to EC2 Instances with public IPs, and narrow down the access to specific AWS accounts in one region, and not the whole region as can be done with Checkpoint updatable objects.  However we realized that this type of policies were only available for VSec gateways (CloudGuard).  It will be a nice feature for on-premises to restrict the traffic over Internet.