diff --git a/app/vmagent/remotewrite/client.go b/app/vmagent/remotewrite/client.go
index 156d802171..373b7157d3 100644
--- a/app/vmagent/remotewrite/client.go
+++ b/app/vmagent/remotewrite/client.go
@@ -232,7 +232,7 @@ func getAWSAPIConfig(argIdx int) (*awsapi.Config, error) {
 	roleARN := awsRoleARN.GetOptionalArg(argIdx)
 	accessKey := awsAccessKey.GetOptionalArg(argIdx)
 	secretKey := awsSecretKey.GetOptionalArg(argIdx)
-	cfg, err := awsapi.NewConfig(region, roleARN, accessKey, secretKey, "")
+	cfg, err := awsapi.NewConfig(region, roleARN, accessKey, secretKey)
 	if err != nil {
 		return nil, err
 	}
diff --git a/lib/awsapi/config.go b/lib/awsapi/config.go
index c980d5f500..c4106a0691 100644
--- a/lib/awsapi/config.go
+++ b/lib/awsapi/config.go
@@ -22,8 +22,6 @@ type Config struct {
 	roleARN      string
 	webTokenPath string
 
-	filtersQueryString string
-
 	ec2Endpoint string
 	stsEndpoint string
 
@@ -45,17 +43,13 @@ type credentials struct {
 }
 
 // NewConfig returns new AWS Config.
-//
-// filtersQueryString must contain an optional percent-encoded query string for aws filters.
-// See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html for examples.
-func NewConfig(region, roleARN, accessKey, secretKey, filtersQueryString string) (*Config, error) {
+func NewConfig(region, roleARN, accessKey, secretKey string) (*Config, error) {
 	cfg := &Config{
-		client:             http.DefaultClient,
-		region:             region,
-		roleARN:            roleARN,
-		filtersQueryString: filtersQueryString,
-		defaultAccessKey:   os.Getenv("AWS_ACCESS_KEY_ID"),
-		defaultSecretKey:   os.Getenv("AWS_SECRET_ACCESS_KEY"),
+		client:           http.DefaultClient,
+		region:           region,
+		roleARN:          roleARN,
+		defaultAccessKey: os.Getenv("AWS_ACCESS_KEY_ID"),
+		defaultSecretKey: os.Getenv("AWS_SECRET_ACCESS_KEY"),
 	}
 	cfg.region = region
 	if cfg.region == "" {
@@ -91,14 +85,18 @@ func NewConfig(region, roleARN, accessKey, secretKey, filtersQueryString string)
 }
 
 // GetEC2APIResponse performs EC2 API request with ghe given action.
-func (cfg *Config) GetEC2APIResponse(action, nextPageToken string) ([]byte, error) {
+//
+// filtersQueryString must contain an optional percent-encoded query string for aws filters.
+// See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html for examples.
+// See also https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Filter.html
+func (cfg *Config) GetEC2APIResponse(action, filtersQueryString, nextPageToken string) ([]byte, error) {
 	ac, err := cfg.getFreshAPICredentials()
 	if err != nil {
 		return nil, err
 	}
 	apiURL := fmt.Sprintf("%s?Action=%s", cfg.ec2Endpoint, url.QueryEscape(action))
-	if len(cfg.filtersQueryString) > 0 {
-		apiURL += "&" + cfg.filtersQueryString
+	if len(filtersQueryString) > 0 {
+		apiURL += "&" + filtersQueryString
 	}
 	if len(nextPageToken) > 0 {
 		apiURL += fmt.Sprintf("&NextToken=%s", url.QueryEscape(nextPageToken))
diff --git a/lib/promscrape/discovery/ec2/api.go b/lib/promscrape/discovery/ec2/api.go
index 7bfd70e8c3..841af481a5 100644
--- a/lib/promscrape/discovery/ec2/api.go
+++ b/lib/promscrape/discovery/ec2/api.go
@@ -11,8 +11,9 @@ import (
 )
 
 type apiConfig struct {
-	awsConfig *awsapi.Config
-	port      int
+	awsConfig          *awsapi.Config
+	filtersQueryString string
+	port               int
 
 	// A map from AZ name to AZ id.
 	azMap     map[string]string
@@ -35,13 +36,14 @@ func newAPIConfig(sdc *SDConfig) (*apiConfig, error) {
 	if sdc.Port != nil {
 		port = *sdc.Port
 	}
-	awsCfg, err := awsapi.NewConfig(sdc.Region, sdc.RoleARN, sdc.AccessKey, sdc.SecretKey.String(), fqs)
+	awsCfg, err := awsapi.NewConfig(sdc.Region, sdc.RoleARN, sdc.AccessKey, sdc.SecretKey.String())
 	if err != nil {
 		return nil, err
 	}
 	cfg := &apiConfig{
-		awsConfig: awsCfg,
-		port:      port,
+		awsConfig:          awsCfg,
+		filtersQueryString: fqs,
+		port:               port,
 	}
 	return cfg, nil
 }
diff --git a/lib/promscrape/discovery/ec2/az.go b/lib/promscrape/discovery/ec2/az.go
index 5c6af3aa25..bd096660e7 100644
--- a/lib/promscrape/discovery/ec2/az.go
+++ b/lib/promscrape/discovery/ec2/az.go
@@ -29,7 +29,7 @@ func getAZMap(cfg *apiConfig) map[string]string {
 
 func getAvailabilityZones(cfg *apiConfig) ([]AvailabilityZone, error) {
 	// See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html
-	data, err := cfg.awsConfig.GetEC2APIResponse("DescribeAvailabilityZones", "")
+	data, err := cfg.awsConfig.GetEC2APIResponse("DescribeAvailabilityZones", "", "")
 	if err != nil {
 		return nil, fmt.Errorf("cannot obtain availability zones: %w", err)
 	}
diff --git a/lib/promscrape/discovery/ec2/instance.go b/lib/promscrape/discovery/ec2/instance.go
index 657d92b738..6d74dc8d0a 100644
--- a/lib/promscrape/discovery/ec2/instance.go
+++ b/lib/promscrape/discovery/ec2/instance.go
@@ -29,7 +29,7 @@ func getReservations(cfg *apiConfig) ([]Reservation, error) {
 	var rs []Reservation
 	pageToken := ""
 	for {
-		data, err := cfg.awsConfig.GetEC2APIResponse("DescribeInstances", pageToken)
+		data, err := cfg.awsConfig.GetEC2APIResponse("DescribeInstances", cfg.filtersQueryString, pageToken)
 		if err != nil {
 			return nil, fmt.Errorf("cannot obtain instances: %w", err)
 		}