diff --git a/.changeset/cold-coins-flow.md b/.changeset/cold-coins-flow.md
new file mode 100644
index 0000000000..eda614d623
--- /dev/null
+++ b/.changeset/cold-coins-flow.md
@@ -0,0 +1,5 @@
+---
+"@guardian/cdk": minor
+---
+
+enable InstanceMetadataTags on EC2 patterns
diff --git a/src/constructs/autoscaling/asg.ts b/src/constructs/autoscaling/asg.ts
index 03f9d538f0..87a720ea67 100644
--- a/src/constructs/autoscaling/asg.ts
+++ b/src/constructs/autoscaling/asg.ts
@@ -128,6 +128,7 @@ export class GuAutoScalingGroup extends GuAppAwareConstruct(AutoScalingGroup) {
       // Favour HTTPS only egress rules by default.
       securityGroup: GuHttpsEgressSecurityGroup.forVpc(scope, { app, vpc }),
       requireImdsv2: !withoutImdsv2,
+      instanceMetadataTags: true,
       userData,
       role,
       httpPutResponseHopLimit,
diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
index 44199c4099..f692105cf2 100644
--- a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
+++ b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
@@ -890,6 +890,7 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi
           "InstanceType": "t4g.medium",
           "MetadataOptions": {
             "HttpTokens": "required",
+            "InstanceMetadataTags": "enabled",
           },
           "SecurityGroupIds": [
             {
@@ -1785,6 +1786,7 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a
           "InstanceType": "t4g.medium",
           "MetadataOptions": {
             "HttpTokens": "required",
+            "InstanceMetadataTags": "enabled",
           },
           "SecurityGroupIds": [
             {