diff --git a/clients/cloud-setup/nm-cloud-setup.service.in b/clients/cloud-setup/nm-cloud-setup.service.in
index 6a6485b8cf..69a1a29ccb 100644
--- a/clients/cloud-setup/nm-cloud-setup.service.in
+++ b/clients/cloud-setup/nm-cloud-setup.service.in
@@ -8,6 +8,11 @@ ExecStart=@libexecdir@/nm-cloud-setup
 
 #Environment=NM_CLOUD_SETUP_LOG=TRACE
 
+# Cloud providers are disabled by default. You need to
+# Opt-in by setting the right environment variable for
+# the provider.
+#Environment=NM_CLOUD_SETUP_EC2=yes
+
 CapabilityBoundingSet=
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
diff --git a/clients/cloud-setup/nmcs-provider-ec2.c b/clients/cloud-setup/nmcs-provider-ec2.c
index 0bdab8106f..54686fdf6e 100644
--- a/clients/cloud-setup/nmcs-provider-ec2.c
+++ b/clients/cloud-setup/nmcs-provider-ec2.c
@@ -545,7 +545,8 @@ nmcs_provider_ec2_class_init (NMCSProviderEC2Class *klass)
 {
 	NMCSProviderClass *provider_class = NMCS_PROVIDER_CLASS (klass);
 
-	provider_class->_name      = "ec2";
-	provider_class->detect     = detect;
-	provider_class->get_config = get_config;
+	provider_class->_name                 = "ec2";
+	provider_class->_env_provider_enabled = "NM_CLOUD_SETUP_EC2";
+	provider_class->detect                = detect;
+	provider_class->get_config            = get_config;
 }
diff --git a/clients/cloud-setup/nmcs-provider.c b/clients/cloud-setup/nmcs-provider.c
index ab1f12a4c6..1f1b6e600d 100644
--- a/clients/cloud-setup/nmcs-provider.c
+++ b/clients/cloud-setup/nmcs-provider.c
@@ -61,6 +61,7 @@ nmcs_provider_detect (NMCSProvider *self,
                       gpointer user_data)
 {
 	gs_unref_object GTask *task = NULL;
+	const char *env;
 
 	g_return_if_fail (NMCS_IS_PROVIDER (self));
 	g_return_if_fail (!cancellable || G_IS_CANCELLABLE (cancellable));
@@ -69,6 +70,14 @@ nmcs_provider_detect (NMCSProvider *self,
 
 	nmcs_wait_for_objects_register (task);
 
+	env = g_getenv (NMCS_PROVIDER_GET_CLASS (self)->_env_provider_enabled);
+	if (!_nm_utils_ascii_str_to_bool (env, FALSE)) {
+		g_task_return_error (task,
+		                     nm_utils_error_new (NM_UTILS_ERROR_UNKNOWN,
+		                                         "provider is disabled"));
+		return;
+	}
+
 	NMCS_PROVIDER_GET_CLASS (self)->detect (self,
 	                                        g_steal_pointer (&task));
 }
diff --git a/clients/cloud-setup/nmcs-provider.h b/clients/cloud-setup/nmcs-provider.h
index 930b6bd80f..e5a44da19f 100644
--- a/clients/cloud-setup/nmcs-provider.h
+++ b/clients/cloud-setup/nmcs-provider.h
@@ -62,6 +62,7 @@ typedef struct {
 typedef struct {
 	GObjectClass parent;
 	const char *_name;
+	const char *_env_provider_enabled;
 
 	void (*detect) (NMCSProvider *self,
 	                GTask *task);