Adding permission to IAM role

Question

I want to add permissions to my instance's IAM roles to allow for the use of Cloudwatch Log Service. Upon looking at the Configuration Guide for the service, I see the following passage:

The CloudWatch Logs agent supports IAM roles and users. 
If your instance already has an IAM role associated with it, make sure that you include the IAM policy below. 
If you don't already have an IAM role assigned to your instance, 
  you'll need to use your IAM credentials for the next steps because you cannot assign an IAM role to an existing instance; 
  you can only specify a role when you launch a new instance.

I'm having a hard time figuring exactly what this means. When I created a new instance, I made an IAM role with the CloudWatchLogsFullAccess policy and an inline policy the configuration guide tells you to add:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
    ],
      "Resource": [
        "arn:aws:logs:*:*:*"
    ]
  }
 ]
}

This was for a new instance, however the above passage confuses me about adding permissions to existing instances. Can I just add the CloudWatchLogsFullAccess policy to the existing instance's role and that inline policy as well?

Answer 1

While it was true an IAM role can be assigned to an instance only during instance launch, AWS announced in February 2017 that it is now possible to replace or attach an IAM role to an existing instance.

Using AWS Console : Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console

Using AWS CLI : Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI