[03:17] <holmanb> minimal: hahaha
[03:18] <holmanb> userdata _is_ root
[03:22] <holmanb> cloud-init isn't doing any privilege escalation there
[03:22] <holmanb> The article starts with:
[03:22] <holmanb> If an adversary has access to the modify-instance attribute permission they can leverage it to escalate to root/System on an EC2 instance.
[03:23] <holmanb> Which is just silly because modify-instance can do things like modify the kernel/initrd/etc
[03:27] <holmanb> I've seen around a dozen articles that say similar things and they all have one thing in common: a misunderstanding of cloud-init (or in this case the cloud)
[03:30] <holmanb> If you can already modify the kernel, you have root already - cloud-init is completely irrelevant. 
[03:40] <holmanb> It's equivalent to saying "assume you have root, then escalate to root"