How do I remove the ec2-user account from my Amazon EC2 Linux instance?

Short description

By default, Amazon EC2 provides the ec2-user account on Amazon Linux, Red Hat Enterprise Linux (RHEL), and SUSE Linux Amazon Machine Images (AMIs). It's a best practice to use ec2-user for administrative tasks such as software installation, system configuration, and package management. If you want to deactivate (lock) or delete ec2-user, then make sure that you provide the required administrative permissions to new user accounts.

Before you deactivate or delete ec2-user, take the following actions:

• Thoroughly test the new user's access and permissions.
• Review and update scripts, automation tools, and applications that rely on the ec2-user.
• Set up at least two active administrative user accounts that you keep available until you verify all your changes.

Resolution

Important: To not accidentally lock yourself out of your instance, complete the following resolution steps in order and in one sitting.

Back up your instances

Before you change your user accounts, it's a best practice to create a backup of your EC2 instance. Create an Amazon Elastic Block Store (Amazon EBS) AMI. Or, create an snapshot of the EBS volume that's attached to your instance. You can use this backup to roll back the changes if you encounter issues.

Create a new user account

Complete the following steps:

1. Connect to your EC2 instance with the ec2-user account.
2. Run the following command to create a new user account with administrative permissions:

    sudo adduser newusername

   Note: Replace newusername with your new username.
3. Run the following command to add the new user account to the wheel group that has sudo permissions by default:

   sudo usermod -aG wheel newusername

   Note: Replace newusername with your new username.

Set up SSH access for the new user

Complete the following steps:

1. Run the following command to create an .ssh directory

   sudo mkdir /home/newusername/.ssh

   Note: Replace newusername with your new username.
2. Run the following command to generate a new SSH key pair:

   ssh-keygen -t ed25519 -C "newusername@example.com" -f ~/.ssh/newusername_key

   Note: Replace newusername with your new username and example.com with your domain.
3. If you generated a new SSH key pair, then run the following command to copy the new public key to the EC2 instance:

   cat ~/.ssh/newusername_key.pub | ssh -i current_key.pem ec2-user@your-instance-ip "sudo tee /home/newusername/.ssh/authorized_keys"

   Note: Replace newusername with your new username and your-instance-ip with your instance IP address.
   If you generate the SSH key pair directly on the instance, then make sure to securely copy the private key to your local machine. You must use the private key for future SSH access from outside the instance. To copy the private key from the EC2 instance to your local machine, run the following command:

   scp -i your-existing-key.pem ec2-user@your-instance-ip:/home/ec2-user/.ssh/newusername_key.pem ~/Downloads/

   Note: Replace your-existing-key with your existing key, your-instance-ip with your instance IP address, and newusername with your new username.
   It's a best practice to generate a new SSH key pair for improved security. However, you can instead reuse the ec2-user SSH key. This provides a quicker but less secure setup. To copy the existing ec2-user public key to the new user's authorized keys, run the following command:

   sudo cp /home/ec2-user/.ssh/authorized_keys /home/newusername/.ssh/authorized_keys

   Note: Replace newusername with your new username and example.com with your domain.
4. Run the following commands to set up the required permissions:

   sudo chown -R newusername:newusername /home/newusername/.ssh
   sudo chmod 700 /home/newusername/.ssh
   sudo chmod 600 /home/newusername/.ssh/authorized_keys

   Note: Replace newusername with your newusername.

(Amazon Linux, RHEL, and SUSE only) Make sure that your new user has full sudo access

Complete the following steps:

1. To verify that the current sudo configuration is valid, run the following command:

   sudo visudo -c

2. If needed, then run the following command to open the sudoers file:

   sudo EDITOR=vim visudo

3. Add the following line to the file if the new user isn't part of a group such as wheel or sudo:

   newusername ALL=(ALL) NOPASSWD:ALL

   Note: Replace newusername with your new username.

Test the new user's access

Important: You must confirm that the new user has both SSH and sudo access before you remove or deactivate other administrative users.

To confirm that the new user can access and operate the instance, complete the following steps:

1. Open a new terminal window.

2. Run the following command to test SSH login with the new key:

   ssh -i ~/.ssh/newusername_key newusername@your-instance-ip

   Note: Replace newusername with your new username and your-instance-ip with your instance IP address.

3. Run the following command to verify sudo access:

   sudo whoami

   Make sure that you receive root in the output. Example output:

   root

4. (Optional) To make sure that you have full access, run a typical sudo command. Example command:

   sudo yum update -y

Check for dependencies

Complete the following steps:

1. Make sure that no applications or processes use files from the /home/ec2-user home directory. To check for open files or processes, run the following command:

   sudo lsof +D /home/ec2-user

2. If you find processes or applications that use files from the ec2-user home directory, then you must migrate the files and permissions. To create a temporary directory for migrated files, run the following command:

   sudo mkdir -p /home/newusername/moved_files

   Note: Replace newusername with your new username.

3. To copy or move files to the new user's home directory, run the following command:

   sudo cp -rp /home/ec2-user/some_app/home/newusername/moved_files/

   Note: Replace some_app with your application name and newusername with your new username.

4. To update ownership and permissions, run the following command:

   sudo chown -R newusername:newusername /home/newusername/moved_files

   Note: Replace newusername with your new username.

If you have crontab entries, then complete the following steps:

1. To export crontab entries from ec2-user, run the following command:

   sudo crontab -u ec2-user -l > /tmp/ec2-user-crontab

2. To import crontab entries for the new user, run the following command:

   sudo crontab -u newusername /tmp/ec2-user-crontab

   Note: Replace newusername with your new username.

Update your system and application configurations

Review and modify system or service configuration files that reference the ec2-user. To search for occurrences of ec2-user across configuration files, run the following command:

sudo grep -r "ec2-user" /etc/

Make sure that you update application-specific settings and scripts that use ec2-user to reflect the new username.

By default, AWS Systems Manager Agent (SSM Agent) runs ec2-user or uses ec2-user permissions and environment settings. Create a working session or backup access method until you verify that SSM Agent correctly works with the new user configuration. Before you remove or modify ec2-user, check whether the SSM Agent has the following configurations:

• It runs under a system-level user (root) or the new user.
• It can access required system files and environment variables.
• You correctly configured it in the /etc/amazon/ssm/amazon-ssm-agent.json file.

Important: If you don't configure the SSM Agent before you deactivate or delete ec2-user, then you might lose access to the following features:

• Session Manager, a capability of AWS Systems Manager
• Session Manager run commands and automation
• Inventory, a capability of AWS Systems Manager
• Patch Manager, a capability of AWS Systems Manager

Deactivate the ec2-user account

If you deactivate ec2-user, then you can't use it for login or other processes. To deactivate ec2-user, complete the following steps:

1. Connect to your EC2 instance with the new user account.

2. Run the following command to deactivate password login for ec2-user:

   sudo passwd -l ec2-user

3. Run the following command to remove ec2-user from the sudo or wheel group:

   sudo gpasswd -d ec2-user wheel 

4. (Optional) To remove SSH access from ec2-user, run the following command:

   sudo rm /home/ec2-user/.ssh/authorized_keys

If you need to reactivate ec2-user, then connect to your EC2 instance and run the following command:

sudo passwd -u ec2-user

Delete the ec2-user account

Important: If you delete ec2-user, then you remove it and its home directory from your instance. You can't reactivate ec2-user if you delete it.

To delete ec2-user, complete the following steps:

1. Connect to your EC2 instance with the new user account.
2. Run the following command to delete ec2-user:

   sudo userdel -r ec2-user

When you delete the ec2-user, you affect the following automated processes:

• Custom scripts that assume ec2-user exists fail.
• Cron jobs that you set up under ec2-user no longer run.

Recover an instance that you can't access

If you lose sudo access, then use EC2 Instance Connect or Session Manager to connect to your instance. Or, you can use an Amazon EBS snapshot or AMI to restore your instance.

Adhere to security best practices

Take the following actions:

• Periodically rotate SSH keys to enhance security and reduce the risk of compromised access.
• Create unique SSH keys for each administrative user to set up individual accountability.
• Activate logging of all sudo activity to track and audit administrative actions.
• For better cryptographic strength and performance, use strong, modern key types, such as ed25519.
• Maintain an updated list of all users with administrative privileges for proper access control and review.
• Monitor login attempts to detect unauthorized access or brute-force attacks.

Important: Make sure that you can always access at least one fully functional administrative account. Test all changes thoroughly before you deactivate or modify existing access.