How to Safely Remove Default Ubuntu User on AWS EC2 Instance and Configure Alternative SSH Access


9 views

When launching an Ubuntu instance on AWS EC2, Amazon automatically creates a default user named ubuntu with sudo privileges. This user is preconfigured for SSH access using the key pair you specified during instance creation. While convenient, some administrators prefer to remove this default account for security hardening.

Instead of directly deleting the ubuntu user, follow this safer migration approach:

# 1. Create new administrative user
sudo adduser newadmin --gecos "" --disabled-password
sudo usermod -aG sudo newadmin

# 2. Set up SSH access
sudo mkdir -p /home/newadmin/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/newadmin/.ssh/
sudo chown -R newadmin:newadmin /home/newadmin/.ssh
sudo chmod 700 /home/newadmin/.ssh
sudo chmod 600 /home/newadmin/.ssh/authorized_keys

Before removing the default user, test your new configuration:

ssh -i your_key.pem newadmin@your-ec2-instance

Ensure you can both login and perform sudo operations.

Once confirmed the new user works properly:

# Option 1: Disable the ubuntu account (recommended)
sudo usermod --expiredate 1 ubuntu

# Option 2: Completely remove the user (more aggressive)
sudo deluser --remove-home ubuntu
  • AWS systems might expect the ubuntu user for certain operations
  • Some Ubuntu cloud images have first-boot scripts that run as ubuntu
  • Consider keeping the account disabled rather than deleted

For maximum security without removing users:

# /etc/ssh/sshd_config
AllowUsers newadmin
DenyUsers ubuntu

When launching an Ubuntu instance on AWS EC2, Amazon automatically creates a default user named 'ubuntu' with sudo privileges. This user is preconfigured to work with the SSH key pair you specified during instance creation. The setup includes:

# /etc/sudoers.d/90-cloud-init-users
ubuntu ALL=(ALL) NOPASSWD:ALL

While convenient, keeping the default 'ubuntu' user presents potential security concerns:

  • Well-known username makes brute force attacks easier
  • Default configuration might not match your organization's security policies
  • Shared instances among team members benefit from individual accounts

Here's how to properly create a new user and remove the default one:

# First, create your new user
sudo adduser newusername
sudo usermod -aG sudo newusername

# Copy your SSH keys
sudo mkdir /home/newusername/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/newusername/.ssh/
sudo chown -R newusername:newusername /home/newusername/.ssh
sudo chmod 700 /home/newusername/.ssh
sudo chmod 600 /home/newusername/.ssh/authorized_keys

# Test the new user connection
ssh -i your-key.pem newusername@your-ec2-instance

After confirming the new user works:

# Option 1: Disable the account
sudo usermod --expiredate 1 ubuntu

# Option 2: Remove the user completely (more aggressive)
sudo userdel -r ubuntu

Before removing the default user:

  • Check if any system services run as the ubuntu user
  • Verify no cron jobs or automated processes depend on this account
  • Ensure your new user has all necessary permissions

If you prefer to keep the ubuntu user but make it more secure:

# Remove password-less sudo
sudo visudo
# Change this line:
ubuntu ALL=(ALL) NOPASSWD:ALL
# To:
ubuntu ALL=(ALL) ALL