AWS Compute: EC2 User Data
In the AWS ecosystem, User Data is a powerful feature that allows you to automate the configuration of your Amazon EC2 instances during the launch process. This process is commonly known as bootstrapping.
Core Concepts & Execution
User Data scripts are primarily used to perform common automated configuration tasks and even run scripts after the instance starts. By default, user data runs only once, during the very first boot cycle of the instance.
- Format: Can be passed as shell scripts (starting with
#! /bin/bash) orcloud-initdirectives. - Privileges: Scripts run as the root user (no need for
sudoinside the script). - Size Limit: Limited to 16 KB (raw, unencoded).
- Encoding: Must be Base64-encoded when sent via the API/CLI, though the Console handles this for you.
Retrieving Metadata and User Data
Once an instance is running, it can query its own configuration using the Instance Metadata Service (IMDS). This is a critical topic for the SAA-C03 exam.
- Metadata URL:
http://169.254.169.254/latest/meta-data/ - User Data URL:
http://169.254.169.254/latest/user-data
Comparison: Bootstrapping vs. Golden AMIs
| Feature | User Data (Bootstrapping) | Golden AMI (Baking) |
|---|---|---|
| Launch Speed | Slower (must install software at boot) | Faster (software is pre-installed) |
| Flexibility | High (scripts can pull latest code) | Low (requires new AMI for updates) |
| Maintenance | Low (just update the script) | High (must manage versioned images) |
| Use Case | Dynamic environments, dev/test | Auto Scaling, production-ready clusters |
Decision Matrix / If–Then Guide
- If you need to install the absolute latest security patches at every launch: Use User Data.
- If your application takes 20 minutes to compile/install: Use a Golden AMI.
- If you need to pass dynamic variables (like a DB endpoint) to an instance: Use User Data.
- If you are using Auto Scaling and need to scale out rapidly: Use Golden AMIs + User Data for minor tweaks.
Exam Tips and Gotchas
- The “Once-Only” Rule: By default, User Data does NOT run when you stop and start an instance. It only runs on the initial “Launch.”
- IMDSv2 Security: AWS now recommends Instance Metadata Service Version 2 (IMDSv2), which is session-oriented and requires a
PUTrequest to get a token before theGETrequest. This prevents SSRF vulnerabilities. - Logging: If your script fails, check
/var/log/cloud-init-output.logon the instance. - Public Availability: User Data is not encrypted. Do NOT store sensitive secrets (passwords, API keys) directly in User Data. Use AWS Secrets Manager or Parameter Store instead.
Topics covered:
Summary of key subtopics covered in this guide:
- Definition of Bootstrapping and User Data lifecycle.
- Shell scripts vs. Cloud-init execution.
- Instance Metadata Service (IMDS) and the 169.254.169.254 IP.
- User Data size limits and Base64 encoding.
- Security best practices (IMDSv2 and Secrets Management).
- Comparison between Bootstrapping and Golden AMIs.
EC2 User Data Architecture
IAM: Attach a role to the EC2 instance so the User Data script can securely download files from S3 without hardcoded keys.
CloudWatch: Send script execution logs to CloudWatch Logs for centralized troubleshooting.
Boot Time: Extensive scripts increase “Time to Service.” For Auto Scaling groups, keep scripts lean or use Golden AMIs.
Parallelism: User Data runs sequentially. Use & in shell scripts to background long-running tasks if possible.
Free Feature: AWS does not charge for the User Data feature itself, but you pay for the instance uptime while the script is running.
Spot Instances: Ideal for bootstrapping workers that can handle interruptions.
cloud-init config.