Also read, metadata on GCP Compute Engine   and

IP Addressing on Compute Engine VMs

Overview

Metadata (of an EC2 instance) can contain access key and secrets. This is all that is needed for account level access (this replaces the username password combo).

Hence, having this plaintext data in the metadata (or user data) of an EC2 instance (or a beanstalk instance) is problematic.

Ideal Solution - Secretes Manager

The ideal solution is to store these values in Secrets Manager and have them retrieved from Secrets Manager.

Short Term Potential Solution

If one can disable access to the metadata of an instance, that provides some level of protection. At instance launch time, there is an option to disable this value.

Summary

Instance level metadata (ec2 metadata) needs to be disabled, if there is the potential to have plaintext secrets data in the metadata.