Disable NOPASSWD sudo access for ubuntu user on an EC2 instance

How can I disable the passwordless sudo access for the default ubuntu user on an EC2 instance? Is it safe to do it?


Be sure to either add another user to sudoers first or set a password on the ubuntu account (I would advise the former). Failure to do that could lock you out of sudo on your instance!

So, create a user for yourself, use the ubuntu user to add yourself to sudoers, log back in as yourself and restrict the ubuntu user.

You may notice that the ubuntu user is not actually listed in /etc/sudoers

Check /etc/sudoers.d/90-cloud-init-users

NOTE: Be sure to edit any sudoers file with visudo. e.g.

visudo -f /etc/sudoers.d/90-cloud-init-users

You'll notice a line in that file:

ubuntu ALL=(ALL) NOPASSWD:ALL

You can comment that line out (#) to remove the ubuntu user from sudoers entirely:

# ubuntu ALL=(ALL) ALL

or to require password simply remove the nopasswd section.

ubuntu ALL=(ALL) ALL

Of course you can that. Is it safe? First be sure to set password on user ubuntu.

Edit the sudoers file with command visudo otherwise be very careful. Find the line matching ubuntu user and change it to ubuntu ALL=(ALL:ALL) ALL

  • username is in the beggining of the line
  • first ALL indicates to which hosts it applies (in that case all of them)
  • second ALL is for which user ubuntu can run commands (in that case all of them)
  • third ALL is for which groups ubuntu can run commands (in that case all of them)
  • last but not least ALL means which commands can you run (in that case all of them)

Be sure to chek the manual of sudoers man sudoers. For the first try you can create another user and add it to suders.


Yes, but make sure to set that user's password to something known before you do that.