diff --git a/aws/cluster/README.md b/aws/cluster/README.md
index 6a03d152..a5fdac36 100644
--- a/aws/cluster/README.md
+++ b/aws/cluster/README.md
@@ -105,6 +105,7 @@ module "cluster" {
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Prefix to be applied to created resources | `list(string)` | `[]` | no |
 | <a name="input_node_groups"></a> [node\_groups](#input\_node\_groups) | Node groups to create in this cluster | <pre>map(object({<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    instance_types  = list(string),<br>    max_size        = number<br>    max_unavailable = optional(number, 3)<br>    min_size        = number<br>  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to all created resources | `map(string)` | `{}` | no |
+| <a name="input_user_data"></a> [user\_data](#input\_user\_data) | Optional user data script for the launch template | `map(string)` | `{}` | no |
 
 ## Outputs
 
diff --git a/aws/cluster/main.tf b/aws/cluster/main.tf
index 810ebc6c..f1d01d62 100644
--- a/aws/cluster/main.tf
+++ b/aws/cluster/main.tf
@@ -53,6 +53,7 @@ module "node_groups" {
   role            = module.node_role.instance
   subnets         = values(data.aws_subnet.private)
   tags            = var.tags
+  user_data      = var.user_data
 
   depends_on = [module.node_role]
 }
diff --git a/aws/cluster/modules/eks-node-group/README.md b/aws/cluster/modules/eks-node-group/README.md
index cc755c8a..e7b0b971 100644
--- a/aws/cluster/modules/eks-node-group/README.md
+++ b/aws/cluster/modules/eks-node-group/README.md
@@ -17,6 +17,7 @@
 | Name | Type |
 |------|------|
 | [aws_eks_node_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 
 ## Inputs
 
@@ -35,6 +36,7 @@
 | <a name="input_role"></a> [role](#input\_role) | IAM role nodes in this group will assume | `object({ arn = string })` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Subnets in which the node group should run | `list(object({ id = string, availability_zone = string }))` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to created resources | `map(string)` | `{}` | no |
+| <a name="input_user_data"></a> [user\_data](#input\_user\_data) | Optional user data script for the launch template | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/aws/cluster/modules/eks-node-group/main.tf b/aws/cluster/modules/eks-node-group/main.tf
index 07e34434..4f4013dc 100644
--- a/aws/cluster/modules/eks-node-group/main.tf
+++ b/aws/cluster/modules/eks-node-group/main.tf
@@ -8,6 +8,15 @@ resource "aws_eks_node_group" "this" {
   node_role_arn   = var.role.arn
   subnet_ids      = [each.value.id]
 
+  dynamic "launch_template" {
+    for_each = var.user_data != null ? [aws_launch_template.this[0]] : []
+
+    content {
+      id      = launch_template.value.id
+      version = launch_template.value.latest_version
+    }
+  }
+
   scaling_config {
     desired_size = local.min_size_per_node_group
     max_size     = local.max_size_per_node_group
@@ -31,6 +40,12 @@ resource "aws_eks_node_group" "this" {
   }
 }
 
+resource "aws_launch_template" "this" {
+  count = var.user_data != null ? 1 : 0
+
+  user_data = base64encode(var.user_data)
+}
+
 locals {
   min_size_per_node_group = ceil(var.min_size / 2)
   max_size_per_node_group = ceil(var.max_size / 2)
diff --git a/aws/cluster/modules/eks-node-group/variables.tf b/aws/cluster/modules/eks-node-group/variables.tf
index 5cf01019..71d495de 100644
--- a/aws/cluster/modules/eks-node-group/variables.tf
+++ b/aws/cluster/modules/eks-node-group/variables.tf
@@ -69,3 +69,9 @@ variable "max_unavailable" {
   description = "Maximum number of nodes that can be unavailable during a rolling update"
   default     = 1
 }
+
+variable "user_data" {
+  type        = string
+  description = "Optional user data script for the launch template"
+  default     = null # Default to an empty string if no user data is provided
+}
diff --git a/aws/cluster/modules/eks-node-role/README.md b/aws/cluster/modules/eks-node-role/README.md
index 189b764c..cc91812f 100644
--- a/aws/cluster/modules/eks-node-role/README.md
+++ b/aws/cluster/modules/eks-node-role/README.md
@@ -20,6 +20,7 @@
 | [aws_iam_role_policy_attachment.ec2_container_registry_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_cloudwatch_agent_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_cni_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.eks_s3_instance_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_ssm_instance_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_worker_node_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_xray_writeonly_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
diff --git a/aws/cluster/modules/eks-node-role/main.tf b/aws/cluster/modules/eks-node-role/main.tf
index 9c912a60..eabe71d9 100644
--- a/aws/cluster/modules/eks-node-role/main.tf
+++ b/aws/cluster/modules/eks-node-role/main.tf
@@ -34,6 +34,11 @@ resource "aws_iam_role_policy_attachment" "eks_cloudwatch_agent_policy" {
   role       = aws_iam_role.this.name
 }
 
+resource "aws_iam_role_policy_attachment" "eks_s3_instance_policy" {
+  policy_arn = "${local.policy_prefix}/AmazonS3ReadOnlyAccess"
+  role       = aws_iam_role.this.name
+}
+
 resource "aws_iam_role_policy_attachment" "eks_ssm_instance_policy" {
   policy_arn = "${local.policy_prefix}/AmazonSSMManagedInstanceCore"
   role       = aws_iam_role.this.name
diff --git a/aws/cluster/variables.tf b/aws/cluster/variables.tf
index 65e151eb..3d1f0432 100644
--- a/aws/cluster/variables.tf
+++ b/aws/cluster/variables.tf
@@ -61,3 +61,9 @@ variable "labels" {
   description = "Labels to be applied to created resources"
   default     = {}
 }
+
+variable "user_data" {
+  type        = map(string)
+  description = "Optional user data script for the launch template"
+  default     = {} # Default to an empty string if no user data is provided
+}