Introduction to User Data

Instance user data is used to run commands when an EC2 instance is started or rebooted. This can be an excellent source of information for us as attackers. It typically takes the form of a shell script that can be accessed from the EC2 instance.

How to Access the User Data

User data can be accessed at http://169.254.169.254/latest/user-data/ from the EC2 instance.

IMDSv2

Version two of the user data service has added protections against SSRF and requires the user to create and use a token. You can access it via the following.

user@host:~$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/