EC2 IAM roles temporary credentials

If using EC2 IAM roles anyone on the instance can gain temporary credentials:

instance_profile=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`

export AWS_ACCESS_KEY_ID=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`

export AWS_SECRET_ACCESS_KEY=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`

{

  "Code" : "Success",

  "LastUpdated" : "2016-10-12T21:57:49Z",

  "Type" : "AWS-HMAC",

  "AccessKeyId" : "ASIAJUHV3DM4xxxxxxx",

  "SecretAccessKey" : "yRjQK8sY+QbdU01bZnss0XXfWGUxxxxxxxxx",

  "Token" : "FQoDYXdzEH8aDEH74VN67XoNBb+QuSKmAyTME94v0S5cPkWdOmIG08iGLySgm9gKsrTFA3jGIXNvmA0lugqPbZTKlIEG1vNXwTFclvU3QtTUKvd1qtXGc8j6BgzlcubBlqJRtfF0JupZxkns0O2E2HSo/vJKEvdsr7OAbDCM2aAxzADA67pZAHxmqMA53ektLdFjP/BWAQ+TB0uo0xgAHzXQuQHkgC++B7g/nJX6oG/5fwydrOGLMahf4zxUU+xfmGanziC/XO/tx2ezF+ri1OAmtI3B//0QgHgLay4eVEGHk2WHHQN87WzUeVhWmn7JKUIJFj9Bb86KRaTbGw4ewlw3+jF6qGD2DZR9esXOG3P2+ir8ipmVRMlBEUDWxfDuDoUXeDnKN2T2DLvIPxOq43lCd8M0sHvFP9CCwZQxkNf3wEXv8BR95qU/ZMKRPGpaEdONjEINcLZN92CBWq0D9LQyspTS0jwWE+YMZ/0tHwF3EOo6CNhAaBsnZhjlTm7kHCZJSJHrE+Z3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",

  "Expiration" : "2016-10-05T03:58:59Z"

}

But the only way to have access is to have access to EC2 instance, furthermore it is only temporary credential that expires and can be used with with IAM conditional to only allow access from approved IP addresses:

"Condition": {"NotIpAddress": {"aws:SourceIp": [ "192.0.2.0/24", "203.0.113.0/24" ]}}