A dedicated piece of hardware that offload storage, networking, security related operations from VMs, so VMs get more processing power
Instance Profile
A fancy name for an IAM role managed by the meta service of EC2
IAM role tokens are automatically acquired, encrypted, stored and renewed be the meta service, so the instance can have permissions defined in the role
Security
By default Linux instances only allow SSH access using key pairs
Key pairs can be created before and or when launching instances
The only time the private key can be downloaded is at creation, there is no way to retrieve it afterwards
There is no way to change key pairs using console or API after instance launch, but you may manually replace the public key in the operating system
Windows instances have pre-generated passwords that can be retrieved and must be changed after first login
By default instances have all ports blocked, you need to add instance to a security group and open ports you needed
Billing
On-demand
Billed by the hour or second depending on the OS
Instances are billed only when instance is in running state, instances in any another state are not billed
Minimum billing period is 1 hour / 60 seconds
Run a bill-by-hour instance for 30 mins, stop it, run for 30 mins again, you get a 2 hour bill
The AWS Blog 