How does Amazon ec2-user get its sudo rights

Question

I am looking for where the default Amazon AMI linux image sets up the privileges for the default ec2-user account.

After logging in with this account I can use sudo successfully. Checking via the sudoers file, which I open by running visudo (with no other options) I see a few default settings and permissions for root ALL ALL

So ... Where is the permissions for ec2-user assigned?

I have not yet tried to add a new permission but ultimately I want to resign ec2-user for systems management tasks and use a non-full root user for administering the applications (stop and start mysql, httpd, edit apache's vhost files, and upload / edit web content under the web root)

Answer 1

It's in /etc/sudoers.d/cloud-init. I, too, delete it from my production systems as soon as I can.

It is included by virtue of the line

#includedir /etc/sudoers.d

in the /etc/sudoers file. Note that, as it says, that leading # isn't treated as a comment sign. On some of my servers, it's also in /etc/sudoers.d/90-cloud-init-users; it may be safest to userdel the ec2-user user.

Answer 2

Indeed it is a file from /etc/sudoers.d/

From the master sudoers file, the very last part:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Specifically the small bit which reads # here does not mean a comment

And then:

[root@webmaster ec2-user]# cd /etc/sudoers.d/
[root@webmaster sudoers.d]# ls -l
total 4
-r--r----- 1 root root 88 May  5 09:16 cloud-init
[root@webmaster sudoers.d]# grep ec2-user *
ec2-user ALL = NOPASSWD: ALL
# User rules for ec2-user
ec2-user ALL=(ALL) NOPASSWD:ALL

Voila.