I asked it two questions and it gave me very reasonable, complete answers:

How do I connect two VPCs from separate organizations (VPC peering)

How do I only allow authorized applications to access my S3 bucket (BPA, IAM policies, a lot of best practices docs)