This pattern provides an AWS CloudFormation security control template that sets up automatic notification when an AWS Identity and Access Management (IAM) profile violation occurs for an Amazon Elastic Compute Cloud (Amazon EC2) instance. 

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Amazon CloudWatch Events initiates this check when AWS CloudTrail logs Amazon EC2 API calls based on the RunInstances, AssociateIamInstanceProfile, and ReplaceIamInstanceProfileAssociation actions. The trigger calls an AWS Lambda function, which uses an Amazon CloudWatch Events event to check for an IAM profile.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ensure-that-an-iam-profile-is-associated-with-an-ec2-instance.html?did=pg_card&trk=pg_card