From 36d0e6690d22b0920028749ed2f6ace67a31512f Mon Sep 17 00:00:00 2001
From: sethp-jive <seth.pellegrino@jivesoftware.com>
Date: Thu, 25 Aug 2016 15:28:39 -0700
Subject: [PATCH] aws_iam_instance_profile: Restrict example perms

In this example, principal "AWS": "*" tells IAM that any user in the world can assume that role as long as they know the account ID + role name.

In my testing, "Service": "ec2.amazonaws.com" is sufficiently permissive to allow the instance_profile to work without allowing global accesses.
---
 .../docs/providers/aws/r/iam_instance_profile.html.markdown   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/website/source/docs/providers/aws/r/iam_instance_profile.html.markdown b/website/source/docs/providers/aws/r/iam_instance_profile.html.markdown
index 05ec3022f..c87fcdfbc 100644
--- a/website/source/docs/providers/aws/r/iam_instance_profile.html.markdown
+++ b/website/source/docs/providers/aws/r/iam_instance_profile.html.markdown
@@ -27,7 +27,9 @@ resource "aws_iam_role" "role" {
     "Statement": [
         {
             "Action": "sts:AssumeRole",
-            "Principal": {"AWS": "*"},
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
             "Effect": "Allow",
             "Sid": ""
         }