diff --git a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml
new file mode 100644
index 000000000..7bdcee77c
--- /dev/null
+++ b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml
@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2024/04/14"
+integration = ["aws"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.9.0"
+updated_date = "2024/04/14"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail
+logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to
+gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that
+does not generate an alert on its own, but serves as a signal for anomalous activity.
+"""
+from = "now-119m"
+index = ["filebeat-*", "logs.aws.cloudtrail-*"]
+interval = "60m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Attempt to Retrieve User Data from AWS EC2 Instance"
+references = [
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html",
+    "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data",
+]
+risk_score = 21
+rule_id = "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: Amazon EC2",
+    "Use Case: Log Auditing",
+    "Tactic: Discovery",
+    "Rule Type: BBR"
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail
+    and event.action:DescribeInstanceAttribute
+    and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+