Yes to the feature set
As to the CLI access - by default AWS instances have the CLI sealed
There is a way to unseal them if you need that level of access
We seal them because they are deployed in a public network so we try and provide an additional level of security
Once unsealed it cannot be resealed
Once in, the privileges are the same