How does Amazon ec2-user get its sudo rights

It's in /etc/sudoers.d/cloud-init. I, too, delete it from my production systems as soon as I can.

It is included by virtue of the line

#includedir /etc/sudoers.d

in the /etc/sudoers file. Note that, as it says, that leading # isn't treated as a comment sign. On some of my servers, it's also in /etc/sudoers.d/90-cloud-init-users; it may be safest to userdel the ec2-user user.


Indeed it is a file from /etc/sudoers.d/

From the master sudoers file, the very last part:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Specifically the small bit which reads # here does not mean a comment

And then:

[root@webmaster ec2-user]# cd /etc/sudoers.d/
[root@webmaster sudoers.d]# ls -l
total 4
-r--r----- 1 root root 88 May  5 09:16 cloud-init
[root@webmaster sudoers.d]# grep ec2-user *
ec2-user ALL = NOPASSWD: ALL
# User rules for ec2-user
ec2-user ALL=(ALL) NOPASSWD:ALL

Voila.