/etc/passwd continually accessed
Solution 1:
As you are using CentOS, you should be able to find out what sudo is doing by looking in /var/log/secure
e.g.
sudo tail /var/log/secure
Oct 4 03:45:44 ec2-centos-instance sudo: iain : TTY=pts/0 ; PWD=/home/iain ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure
Edit: Updating with answer from comments
Enabling block dump with:echo 1 > /proc/sys/vm/block_dump
and take a look at it with dmesg helped track down which processes were accessing the disk. Much more reliable than iotop. Turns out, sar was running continually, writing out to /var/log/sa/saXX so I disabled that in cron.d, and all is well again
Solution 2:
It sounds like you have a script or program that is using sudo to try and do stuff as root. You can enable logging in sudo to figure out what they are trying to do and come up with a better solution (perhaps a setuid binary is in order). Here is more info on sudo (like how to enable logging):
http://aplawrence.com/Basics/sudo.html