This rule detects potentially malicious requests to retrieve the `userData` attribute of an AWS EC2 instance through the `DescribeInstanceAttribute` API action as logged by AWS CloudTrail. User data can contain sensitive information, such as hardcoded credentials or other configurations that may be leveraged by adversaries to exploit vulnerabilities. The rule is triggered when requests are made for the `userData` attribute linked to a specific `instanceId` in the past 14 days, with filtering for requests not initiated by recognized AWS internal services or CloudFormation. Key investigation steps include analyzing the target instance data, user context, request details, and checking associated IAM roles and access patterns to assess the legitimacy of the action. The framework entails continuous monitoring for unusual API calls connected to this activity in order to strengthen the security and compliance posture of AWS deployments.