Bird
Raised Fist0
AWScloud~20 mins

Instance metadata and user data in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Instance Metadata Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
What data can an EC2 instance retrieve from its metadata service?

An EC2 instance can query its instance metadata service to get information about itself. Which of the following types of data can it retrieve?

AThe instance's public IP address, instance ID, and security groups attached
BThe contents of all S3 buckets in the AWS account
CThe private keys of the AWS account root user
DThe billing details of the AWS account
Attempts:
2 left
💡 Hint

Think about what information is specific to the instance itself and what would be sensitive or unrelated.

Configuration
intermediate
2:00remaining
What is the correct way to pass user data to an EC2 instance during launch?

You want to run a script automatically when your EC2 instance starts. How should you provide this script using user data?

AAttach the script as a file to the instance's EBS volume after launch
BInclude the script as plain text in the user data field when launching the instance
CUpload the script to an S3 bucket and provide the S3 URL in user data
DSend the script via SSH after the instance is running
Attempts:
2 left
💡 Hint

User data is designed to run commands or scripts at instance boot time.

security
advanced
2:00remaining
What security risk is associated with instance metadata service (IMDS) version 1?

IMDSv1 allows EC2 instances to access metadata via HTTP requests. What is a known security risk of using IMDSv1 compared to IMDSv2?

AIMDSv1 is vulnerable to SSRF attacks that can expose sensitive metadata
BIMDSv1 encrypts metadata with weak algorithms
CIMDSv1 disables instance role permissions by default
DIMDSv1 requires manual credential rotation
Attempts:
2 left
💡 Hint

Consider how metadata is accessed and what an attacker might exploit.

Architecture
advanced
2:00remaining
How can you securely provide secrets to an EC2 instance without exposing them in user data?

You want your EC2 instance to access database credentials securely without embedding them in user data. Which approach is best?

AHardcode the credentials in the instance AMI
BStore the credentials in user data encrypted with base64
CAssign an IAM role to the instance with permissions to access AWS Secrets Manager
DSend the credentials via email to the instance owner
Attempts:
2 left
💡 Hint

Think about AWS services designed for secret management and secure access.

Best Practice
expert
2:00remaining
What is the recommended way to enforce use of IMDSv2 on EC2 instances to improve security?

You want to ensure all EC2 instances in your environment use IMDSv2 only, disabling IMDSv1. How can you enforce this?

ADisable the EC2 instance's network interface
BBlock all HTTP traffic to 169.254.169.254 from the instance
CRemove the instance profile attached to the instance
DConfigure the instance metadata options to require IMDSv2 and disable IMDSv1 during instance launch or via API
Attempts:
2 left
💡 Hint

Look for instance metadata options that control IMDS versions.

Practice

(1/5)
1. What is the primary purpose of instance metadata in AWS EC2?
easy
A. To provide information about the instance to itself
B. To store user files permanently
C. To allow external users to access the instance
D. To manage billing information for the instance

Solution

  1. Step 1: Understand instance metadata role

    Instance metadata is data about the instance that the instance can access itself, such as its ID, IP address, or region.

  2. Step 2: Differentiate from other options

    It is not for storing user files, external access, or billing management.

  3. Final Answer:

    To provide information about the instance to itself -> Option A

  4. Quick Check:

    Instance metadata = instance self-info [OK]
Hint: Instance metadata is info the server knows about itself [OK]
Common Mistakes:
  • Confusing metadata with user data
  • Thinking metadata is for external access
  • Assuming metadata stores user files
2. Which IP address is used inside an EC2 instance to access instance metadata?
easy
A. 127.0.0.1
B. 169.254.169.254
C. 192.168.0.1
D. 10.0.0.1

Solution

  1. Step 1: Recall the special metadata IP

    A fixed IP address 169.254.169.254 is reserved for instance metadata access inside EC2 instances.

  2. Step 2: Exclude other common IPs

    127.0.0.1 is localhost, 192.168.0.1 and 10.0.0.1 are private network IPs but not for metadata.

  3. Final Answer:

    169.254.169.254 -> Option B

  4. Quick Check:

    Metadata IP = 169.254.169.254 [OK]
Hint: Metadata IP always starts with 169.254 [OK]
Common Mistakes:
  • Using localhost IP 127.0.0.1
  • Confusing with private network IPs
  • Trying public IP addresses
3. Given this user data script for an EC2 instance:
#!/bin/bash
echo "Hello World" > /home/ec2-user/hello.txt

What will happen when the instance starts?
medium
A. The file will be created but empty
B. The instance will fail to start due to syntax error
C. Nothing happens because user data is ignored
D. The file /home/ec2-user/hello.txt will contain 'Hello World'

Solution

  1. Step 1: Understand user data script execution

    User data scripts run once at instance start and can create files or run commands.

  2. Step 2: Analyze the script effect

    The script writes 'Hello World' into the file /home/ec2-user/hello.txt, so the file will contain that text.

  3. Final Answer:

    The file /home/ec2-user/hello.txt will contain 'Hello World' -> Option D

  4. Quick Check:

    User data script writes file content [OK]
Hint: User data runs at start and executes commands [OK]
Common Mistakes:
  • Thinking user data runs multiple times
  • Assuming syntax error in simple echo
  • Believing user data is disabled by default
4. You try to access instance metadata from your EC2 instance using curl http://169.254.169.254/latest/meta-data/ but get no response. What is the most likely cause?
medium
A. Instance metadata service is disabled or blocked
B. The IP address is incorrect
C. User data script is missing
D. The instance is stopped

Solution

  1. Step 1: Check IP correctness

    The IP 169.254.169.254 is correct for metadata service, so IP is not the issue.

  2. Step 2: Consider service availability

    If no response, the metadata service might be disabled or blocked by firewall or instance settings.

  3. Final Answer:

    Instance metadata service is disabled or blocked -> Option A

  4. Quick Check:

    No metadata response = service disabled/blocked [OK]
Hint: No metadata response usually means service disabled [OK]
Common Mistakes:
  • Assuming wrong IP address
  • Confusing user data with metadata
  • Not checking instance state
5. You want to automate installing software on an EC2 instance at launch using user data. Which of these is the best practice?
hard
A. Manually SSH into the instance after launch to install software
B. Store installation commands in instance metadata
C. Write a shell script in user data that installs software and runs on first boot
D. Use user data only to store instance tags

Solution

  1. Step 1: Understand user data purpose

    User data is designed to run scripts automatically at instance launch to configure or install software.

  2. Step 2: Evaluate options

    Manual SSH is not automated, metadata is read-only info, and tags are not stored in user data.

  3. Final Answer:

    Write a shell script in user data that installs software and runs on first boot -> Option C

  4. Quick Check:

    User data automates setup scripts [OK]
Hint: Use user data scripts to automate setup at launch [OK]
Common Mistakes:
  • Trying to store commands in metadata
  • Ignoring automation benefits
  • Misusing user data for tags