The instance has a IAM Role attached to it, by assuming the Role EC2 can get access to any service and action specified by the policy attached to that role, without anything being stored on the instance.

(you can have a look at my previous post about IAM to understand better the concepts of Users Roles and Policies)