---
title: EC2 instance has no IAM role
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EC2 instance has no IAM role
---

# EC2 instance has no IAM role

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-ec2-instance-has-no-iam-role` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html)

### Description{% #description %}

Amazon EC2 instances must be associated with an IAM instance profile so the instance can assume a temporary IAM role. Without a profile, workloads may require embedded long‑lived credentials or run without least‑privilege access, increasing the risk of credential exposure and excessive privileges.

In CloudFormation, every `AWS::EC2::Instance` should define `Resources.<Name>.Properties.IamInstanceProfile`. That value must reference an existing `AWS::IAM::InstanceProfile` resource in the template (either a `Ref` or the resource logical name). The referenced `AWS::IAM::InstanceProfile` resource must include `Properties.Roles` with one or more role names or `Ref`s so the instance actually receives an IAM role.

This rule flags EC2 instances missing `IamInstanceProfile`, instances whose `IamInstanceProfile` does not match any resource in the template, and instance profile resources that do not define `Roles`.

Secure CloudFormation example:

```yaml
MyRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service: ec2.amazonaws.com
          Action: sts:AssumeRole

MyInstanceProfile:
  Type: AWS::IAM::InstanceProfile
  Properties:
    Roles:
      - Ref: MyRole

MyInstance:
  Type: AWS::EC2::Instance
  Properties:
    IamInstanceProfile: Ref: MyInstanceProfile
    ImageId: ami-0123456789abcdef0
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml

Resources:
  Test:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
        - AMIs
        - Ref: AWS::Region
        - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: ListS3BucketsInstanceProfile
      SecurityGroupIds:
      - Ref: SSHAccessSG
      Tags:
      - Key: Name
        Value: Test
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: ListS3BucketsRole
  ListS3BucketsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
Resources:
  NoIAM:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      Tags:
        - Key: Name
          Value: Test
  IAM_Missing:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: NonExistantProfile
      SecurityGroupIds:
        - Ref: SSHAccessSG
      Tags:
        - Key: Name
          Value: Test
  IAMNoRoles:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile:
        Ref: NoRolesProfile
      Tags:
        - Key: Name
          Value: Test
  NoRolesProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
```

```yaml
Resources:
  NoIAM:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      Tags:
        - Key: Name
          Value: Test
  IAM_Missing:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile: NonExistantProfile
      SecurityGroupIds:
        - Ref: SSHAccessSG
      Tags:
        - Key: Name
          Value: Test
  IAMNoRoles:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: InstanceType
      ImageId:
        Fn::FindInMap:
          - AMIs
          - Ref: AWS::Region
          - Name
      KeyName:
        Ref: KeyName
      IamInstanceProfile: NoRolesProfile
      Tags:
        - Key: Name
          Value: Test
  NoRolesProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
```