Instance user data is used to run commands when an EC2 instance is started or rebooted. This can be an excellent source of information for us as attackers. It typically takes the form of a shell script that can be accessed from the EC2 instance.
How to Access the User Data
User data can be accessed at
http://169.254.169.254/latest/user-data/ from the EC2 instance.
Version two of the user data service has added protections against SSRF and requires the user to create and use a token. You can access it via the following.
user@host:~$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/