Amazon EC2 / EBS / AMI / User Data Metadata

Location

Description

Instance and storage configuration metadata including instance profile, security groups, attached volumes, AMI lineage, user-data scripts, IMDS configuration, launch templates, and snapshot relationships.

Forensic Value

EC2 metadata explains how a workload was launched, what credentials it inherited, what bootstrap scripts ran, and which EBS volumes preserve evidence. It also reveals dangerous user-data scripts, IMDS exposure, cross-account AMI usage, and launch-template tampering that can establish persistence or explain how attacker tooling was deployed at scale.

Tools Required

Collection Commands

aws ec2 describe-instances --instance-ids i-xxxxxxxxxxxxxxxxx > ec2_instance_metadata.json

aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=i-xxxxxxxxxxxxxxxxx > ec2_attached_volumes.json

aws ec2 describe-instance-attribute --instance-id i-xxxxxxxxxxxxxxxxx --attribute userData > ec2_user_data.json

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"); curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document > ec2_instance_identity_document.json

Collection Constraints

• •Metadata is highly time-sensitive because launch templates, user data, and attached resources can be modified quickly during response.
• •This evidence explains configuration and credential exposure but does not replace disk, memory, or workload-level acquisition.

MITRE ATT&CK Techniques

References