security – How Authorize/Authenticate a users (not a machine) in AWS-IoT-Core MQTT broker?

In the AWS-IoT-Core the Authentication & Authorization are made by polices and certificate in order to restrict a THING to get access to the MQTT broker, publish or subscribe to a specific topic. In this scenario I have a topic attached to a lambda that will apply a DELETE operation in a database. The machine (the thing) is already authorized/authenticated trough certificates/policies but let’s say a hacker got access to the machine and to its certificate. Reading the Firmware he will see the a topic to dele a file, for example p/serialNumber/deletelog/log_nb. Now the hacker, trough the machine, is authorized and authenticated to publish in this topic. I would like to know if it is possible to mitigate this action (in this scenario) by creating a kind of Authorization SESSION, like a HTTP SESSION in the MQTT architecture. In this scenario the hacker would need a login and password to be Authorized to this operation (not only the machine). It would be another layer of security.