AWS IAM glossary

What is EC2 Instance Profile?

An instance profile is a container for an IAM role that lets an EC2 instance receive temporary credentials for that role automatically.

An EC2 instance cannot hold an IAM role directly. Instead, the role is wrapped in an instance profile, and the instance profile is attached to the instance. The instance metadata service then provides rotating temporary credentials for the role to anything running on the instance.

Instance profiles are a common privilege path: any code or process on the instance can read those credentials from the metadata endpoint. Pinning the instance to the second version of the metadata service (IMDSv2) and scoping the role tightly are the core defenses.

Example

aws ec2 associate-iam-instance-profile \
  --instance-id i-0abc123 \
  --iam-instance-profile Name=app-instance-profile

Common mistake

Attaching an over-permissioned role through an instance profile means any process on the box — including a compromised dependency — inherits those permissions via the metadata service.

Related terms

Analyze a real policy free

Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.