UPDATE: Figured out an even better way that doesn't involve baking your creds into an image at all. See the following question for information that would be applicable to solving this problem as well: Is it secure to store EC2 User-Data shell scripts in a private S3 bucket?

This helps keep your secrets in the least number of places necessary at any given time.

Figured out a better way:

1. Launch a machine using your desired OS
2. Install Docker
3. run sudo docker login on that machine
4. Upon successful authentication Docker will place a .dockercfg file in your home directory (e.g. /home/yourusername/.dockercfg). Docker will use this file for all authentication from now on.
5. Create an image of your machine to be used when launching all new instances. This image will now have the .dockercfg file baked-in.
6. Add the following to the User Data of your machine image:

#!/bin/bash
sudo docker run -p 3333:3333 -d --name Hello yourusername/hello

Now when you launch an instance based on your machine image your sudo docker run commands will succeed in pulling private repos provided the user you run the docker command under has a .dockercfg file in their home directory.

Hope that helps anyone looking to figure this out.

Update: See my other answer for a better method that doesn't require hard-coding your creds into your User Data script

To get an instance to pull a private Dockerhub repo upon launching you can authenticate simply by running sudo docker login in the User Data start-up script before your sudo docker run command, altogether like so:

#!/bin/bash
sudo docker login -u <username> -p <password> -e <email>
sudo docker run -p 3333:3333 -d --name Hello myusername/hello

This requires hard-coding your Dockerhub creds into your User Data script, which is less than ideal, but it does work.

I figured out a better way if you care to use ECS (which creates the EC2 instance/s for you) and don't want to utilize file storage in your solution. I mixed the solutions suggested by @AJB ('User Data' property and 'docker login' output), I'll describe the process:

1. use docker login on your machine (no sudo needed as far as I can tell), upon successful login run cat .docker/config.json and you'll get something like:

{"auths":{"https://index.docker.io/v1/":{"auth":"KEY","email":"EMAIL"}}}

2. copy the KEY and EMAIL aside
3. on ECS - create a cluster, service and a task definition (with the image property set to yourusername/hello), this will automatically generate the configuration for the EC2
4. on EC2 menu - go to Launch Configuration menu and choose the launch configuration generated by ECS
5. click on copy launch configuration button and edit to taste (you can change the AMI although I'd recommend stay with Amazon Linux AMI unless you have to, set a new descriptive name)
6. inside Edit Details -> Advanced Details edit the User Data property and add the following (replace KEY and EMAIL):

mkdir /home/ec2-user/.docker/
echo '{"auths":{"https://index.docker.io/v1/":{"auth":"KEY","email":"EMAIL"}}}' >> /home/ec2-user/.docker/config.json
sudo stop ecs
sudo start ecs

7. switch to Auto Scaling Groups menu and choose the one generated by ECS
8. click Edit and choose the Launch Configuration you just created, save
9. switch to Instances menu and terminate the running instance
10. you're done!

A new Instance will shortly be launched by the Auto Scaling Group which now uses the new configuration which allows access to the private repository on your DockerHub account.