How does Amazon ec2-user get its sudo rights

sudo amazon-ec2

It's in /etc/sudoers.d/cloud-init. I, too, delete it from my production systems as soon as I can.

It is included by virtue of the line

#includedir /etc/sudoers.d

in the /etc/sudoers file. Note that, as it says, that leading # isn't treated as a comment sign. On some of my servers, it's also in /etc/sudoers.d/90-cloud-init-users; it may be safest to userdel the ec2-user user.


Indeed it is a file from /etc/sudoers.d/ 

From the master sudoers file, the very last part:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Specifically the small bit which reads # here does not mean a comment

And then:

[root@webmaster ec2-user]# cd /etc/sudoers.d/
[root@webmaster sudoers.d]# ls -l
total 4
-r--r----- 1 root root 88 May  5 09:16 cloud-init
[root@webmaster sudoers.d]# grep ec2-user *
ec2-user ALL = NOPASSWD: ALL
# User rules for ec2-user
ec2-user ALL=(ALL) NOPASSWD:ALL

Voila.

Related

Non-interactive creation of SSL certificate requests
Is KVM a type 1 or type 2 hypervisor? [closed]
How do I prove two files are the same legally?
Cage nuts - which way to insert them?
dpkg: warning: files list file for package 'x' missing
Nginx redirect based on user agent
Can I use AWS ECR image directly in my Dockerfile?
What's the difference between `yum install <local path>` and `yum localinstall <local path>`
How to track all files a process opens in its lifetime
How to Read the haproxy Stats Page
How much overhead does x86/x64 virtualization have?
Isn't it a huge security issue to include the MAC address inside of an IPv6 address by default