This is a good feature, but it seems now the temporary AWS access keys of the IAM role will be accessible to any application running on the EC2 instance, not just the one with the config files like before. I wonder if this will create any unexpected security issues? New kinds of trojans?
Also, I hope Boto (the Python AWS API) will support this soon.
I think the philosophy is that the trust boundry is your host, not your uid.
We seem to be migrating towards "one instance per application" from of the traditional "one uid/proc per application". For the great majority of use cases this is going to be the simpler, and safer assumption.
There is no doubt that IAM is the best thing to happen to Amazon AWS in a long time. The ability to have read-only and more importantly write-only access to SQS/S3/SimpleDB is brilliant. What is still needed though is a way to securely manage the keys/certificates on the actual server. Maybe Amazon could build a key store that only unlocks from certain processes at certain times and logs access attempts.