Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

Instance Profile

An instance profile is used to attach an IAM role to an EC2 instance which allows any application running on the instance to access resources defined in the IAM role policies.
The cost of using Identity and Access Management (IAM) features is free, as it is included in the overall cost of using Amazon Web Services (AWS). There are no charges for creating or using IAM users, groups, roles, or policies. However, some AWS services, such as Amazon S3 or Amazon EC2, may incur charges for using IAM features, such as creating an IAM role to access an Amazon S3 bucket or an Amazon EC2 instance.
Direct Cost


Indirect Cost
No items found.
Terraform Name
Instance Profile
  • name - (Optional, Forces new resource) Name of the instance profile. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix. Can be a string of characters consisting of upper and lowercase alphanumeric characters and these special characters: _, +, =, ,, ., @, -. Spaces are not allowed.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • path - (Optional, default "/") Path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide. Can be a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. Can include any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercase letters.
  • role - (Optional) Name of the role to add to the profile.
  • tags - (Optional) Map of resource tags for the IAM Instance Profile. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
Instance Profile
Resources do not "belong" to a
Instance Profile
Rather, one or more Security Groups are associated to a resource.
Instance Profile
via Terraform:
The following HCL creates an instance profile

resource "aws_iam_instance_profile" "test_profile" {
 name = "test_profile"
 role =

resource "aws_iam_role" "role" {
 name = "test_role"
 path = "/"

 assume_role_policy = <<EOF
   "Version": "2012-10-17",
   "Statement": [
           "Action": "sts:AssumeRole",
           "Principal": {
              "Service": ""
           "Effect": "Allow",
           "Sid": ""

Instance Profile
via CLI:

--instance-profile-name <value>
[--path <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws iam create-instance-profile --instance-profile-name Webserver

Best Practices for
Instance Profile

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts
All Resources