Here are some more facts to keep in mind about IAM:

• IAM is a global service. This means that the roles and policies that you create will be available in every region.
• You'll find all the available AWS Managed Policies in the AWS web console. There's quite a few of them, so don't be afraid to use the search bar.
• There's another kind of policy, called a Customer-Managed Policy. These are policies that are managed by you, and they will appear in the AWS console, amongst the AWS Managed Policies.
• It is possible to attach an IAM role to an existing/running EC2 instance. This previously wasn't the case, and the role could only be assigned at the time that the instance launched.
• AWS automatically and periodically rotates the credentials that are returned by the metadata service.
• It's not always appropriate to use an AWS Managed Policy. For example, if a server needs to write to CloudWatch Logs, it may be tempting to assign it to the AWS Managed Policy that provides full access. If you do this, however, you'll also be giving the server access to delete log groups and streams. This is almost certainly undesirable. You'll want to inspect the policies before you apply them, and defer to an Inline or Customer-Managed Policy, where appropriate. The principle of least privilege applies here.