AWS IoT Core provides certificates for your things. When you delete an AWS IoT thing, the certificate attached to it will be available. If the policy attached to that certificate doesn't rely on the Thing's existance, which is not so uncommon, bad things can happen. Unused certificates are always dangerous.

This gist scans your all certificates and calls their principals (attached certificates). If there is no principal for a certificate, first makes it INACTIVE, then deletes it. I'm going to use this a lot on dev accounts.