Amazon Linux AMI Security Advisory: ALAS-2016-763
Advisory Release Date: 2016-11-10 18:00 Pacific
Advisory Updated Date: 2016-11-10 18:00 Pacific
It was discovered that cloud-init in the Amazon Linux AMI wrote IAM role credentials from the instance metadata service to files readable by the root user in /var/lib/cloud. An application with root privileges, a container with access to the relevant files, or a root user of an AMI derived from a previously launched AMI could read and use the credentials. (IAM role credentials expire after 6 hours.)
Run yum update cloud-init to update your system. To delete the files which contain credentials, run rm /var/lib/cloud/instance/obj.pkl /var/lib/cloud/instances/*/obj.pkl.