I created an IAM Role for EC2 called Role4EC2-FA and assigned the AmazonS3FullAccess policy to it. I was able to attach the same to the EC2 instance and access the S3 services from the EC2.
In the Trust Relationship I did change the Principal Service from ec2.amazonaws.com to s3.amazonaws.com, but still I was able to attach the same IAM Role to an EC2 instance, which should not be the case. But the good thing is that S3 service was not accessible from the EC2 this time.
Is this the expected behavior?
It is not the trust policy which decide if a role can be attached to an instance or not. It is an instance profile.
Trust policy says which service can assume this role. When you changed it to S3, EC2 was not allowed anymore to assume it, that is why it couldn't access S3.
But as you still have an instance profile, you still can attach it to instance.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html