Description: 

If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance. In the console, the list that's displayed is actually a list of instance profile names. The console does not create an instance profile for a role that is not associated with Amazon EC2. You can attach tags to your IAM resources, including instance profiles, to identify, organize, and control access to them.


Rationale:  

Instance Profile needs to be attached for EC2 instances which are internet-facing. You create roles and instance profiles as separate actions if you manage your roles from the AWS CLI or the AWS API. Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of roles they contain. That way you can choose the correct instance profile when you launch an EC2 instance.


Impact:

Amazon EC2 uses an instance profile as a container for an IAM role. To grant users permission to launch instances with an IAM role, or to attach or replace an IAM role for an existing instance using the Amazon EC2 console, you must grant them permission to use iam:ListInstanceProfiles, iam:PassRole, ec2:AssociateIamInstanceProfile, and ec2:ReplaceIamInstanceProfileAssociation in addition to any other permissions, they might need.


Default value:

EC2 instance profile by default Disable.


Audit

To determine if your Instance Profile is to be attached for EC2 instances, perform the following:

  1. Sign in to the AWS Management Console.

  2. Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

  3. Click on Instances, in the left navigation pane

  4. Select the instance that you want to examine

  5. In the Details tab at the bottom check whether the IAM role is attached or not
    If you notice no role is attached it means IAM role is not attached to instance


Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions


Implementation steps:

  1. Open the Amazon EC2 console at  https://console.aws.amazon.com/ec2/.

  2. Click on the Instances in the left navigation pane

  3. Choose the instance that you want to attach an IAM role to.
  4. Click on Actions, choose security , and then select Modify IAM role
  5. Under Modify IAM role page, choose the instance profile that you want to attach from the drop-down list or else you can create a new role by Click on Create new IAM role
  6. Click on save 


Via CLI:

If you haven't already created an instance profile, run the following AWS CLI command

aws iam create-instance-profile --instance-profile-name EXAMPLEPROFILENAME

Run the following AWS CLI command to add the role to the instance profile

$ aws iam add-role-to-instance-profile --instance-profile-name EXAMPLEPROFILENAME --role-name EXAMPLEROLENAME


Run the following AWS CLI command to attach the instance profile to the EC2 instance

$ aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcde



Back out plan:

If you want to delete or detach role to the  instance follow the below step

  1. Select the instance, choose Actions, select Security, and click on Modify IAM role.

  2. For the IAM role, choose No IAM Role from the drop-down list and click Save.

  3. In the confirmation dialog box, enter Detach, and then choose Detach.


Reference:

IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud 

https://aws.amazon.com/premiumsupport/knowledge-center/attach-replace-ec2-instance-profile/