diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
index 36f106248..4b04ed283 100644
--- a/pkg/webhooks/machine_webhook.go
+++ b/pkg/webhooks/machine_webhook.go
@@ -615,6 +615,8 @@ func (a awsDefaulter) defaultAWS(m *machinev1beta1.Machine, config *admissionCon
 
 	if providerSpec.UserDataSecret == nil {
 		providerSpec.UserDataSecret = &corev1.LocalObjectReference{Name: defaultUserDataSecret}
+	} else if providerSpec.UserDataSecret.Name == "" {
+		providerSpec.UserDataSecret.Name = defaultUserDataSecret
 	}
 
 	if providerSpec.CredentialsSecret == nil {
@@ -724,13 +726,9 @@ func validateAWS(m *machinev1beta1.Machine, config *admissionConfig) (bool, []st
 	}
 
 	if providerSpec.UserDataSecret == nil {
-		errs = append(
-			errs,
-			field.Required(
-				field.NewPath("providerSpec", "userDataSecret"),
-				"expected providerSpec.userDataSecret to be populated",
-			),
-		)
+		errs = append(errs, field.Required(field.NewPath("providerSpec", "userDataSecret"), "expected providerSpec.userDataSecret to be populated"))
+	} else if providerSpec.UserDataSecret.Name == "" {
+		errs = append(errs, field.Required(field.NewPath("providerSpec", "userDataSecret", "name"), "expected providerSpec.userDataSecret.name to be provided"))
 	}
 
 	if providerSpec.CredentialsSecret == nil {
diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
index 26004dc0e..4a4b44413 100644
--- a/pkg/webhooks/machine_webhook_test.go
+++ b/pkg/webhooks/machine_webhook_test.go
@@ -2382,6 +2382,14 @@ func TestValidateAWSProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.userDataSecret: Required value: expected providerSpec.userDataSecret to be populated",
 		},
+		{
+			testCase: "with no user data secret name it fails",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.UserDataSecret.Name = ""
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.userDataSecret.name: Required value: expected providerSpec.userDataSecret.name to be provided",
+		},
 		{
 			testCase: "with no credentials secret it fails",
 			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {