Disabling the ec2-user account on an Amazon EC2 instance

By Philip Knerr

Introduction

By default, Amazon EC2 instances have a shared administrative account with a username of ec2-user. However, shared accounts are less secure than individual accounts. Individual accounts have the advantages noted in the Creating new users on an Amazon EC2 instance article.

Therefore, once you have completed initial configuration of a new EC2 instance, the ec2-user account should be disabled for improved security. Instead, an individual account should be created for each person who needs to administer the EC2 instance.

The context and caveats in the Foreword apply to this article.

This information is current as of September 5, 2017.

Requirements

This article assumes that:

Disabling the ec2-user account

Disable the ec2-user account by executing the following command:

sudo mv ~ec2-user/.ssh/authorized_keys ~ec2-user/.ssh/disabled_keys

That’s all it takes! It will no longer be possible to authenticate to the ec2-user account using the key pair installed when the server was provisioned.

It’s even possible to execute this command as the ec2-user account itself. In this case, the sudo prefix is unnecessary. The ec2-user account will remain logged in until it is logged out, at which point it will be unable to log in again.

Warning: If you disable the ec2-user account without having created at least one other account with superuser access, it will be impossible to administer the system. This can also occur if the last remaining account with superuser access is subsequently disabled. In either case, this situation can be corrected by enabling the ec2-user account again as explained below. Nonetheless, it’s better to use caution to avoid this situation in the first place.

Enabling the ec2-user account again

The ec2-user account can be enabled again if needed or desired.

Warning: The instructions in this section will not work if the root volume is an instance store.

First, stop the EC2 instance on which the ec2-user account should be enabled. To do so, perform the following steps in the EC2 Dashboard:

  1. Go to “Instances” in the left navigation, under the menu of the same name.
  2. Select the EC2 instance on which the ec2-user account should be enabled.
  3. Under the “Actions” drop-down menu, go to the “Instance State” submenu and select, “Stop”.

Then, detach the root volume for this instance. To do so, perform the following steps in the EC2 Dashboard:

  1. Go to “Volumes” in the left navigation, under the “Elastic Block Store” menu.
  2. Select the root volume of the EC2 instance which you just stopped. This will normally be the volume which is attached at /dev/xvda.
  3. Make a note of where the volume was attached.
  4. Under the “Actions” drop-down menu, select “Detach Volume”.

Then, attach this volume to a different EC2 instance. This EC2 instance may already be running. It may instead be a new EC2 instance started expressly for this purpose. In either case, this EC2 instance must be in the same availability zone as the EC2 instance on which the ec2-user account should be enabled. Perform the following steps in the EC2 Dashboard:

  1. With this volume still selected, under the “Actions” drop-down menu, select “Attach Volume”.
  2. In the resulting pop-up menu, click on the text field labeled “Instance”.
  3. Select the EC2 instance to which you wish to attach this volume.
  4. Note the value which is populated in the “Device” text field. This value will normally start with /dev/. You’ll need to enter this value below.
  5. Leave this browser window open; you’ll need to return to it momentarily.

Now, log in via SSH (e.g., Terminal) to the EC2 instance to which the volume was attached. Be sure to log in as as a user with superuser access.

Mount the volume by executing the following commands, where <device> is the value you noted from the “Device” text field:

sudo mkdir /mnt/data2
sudo mount <device>1 /mnt/data2

In the above, 1 should immediately follow the value from the “Device” text field (e.g., without a space in between). For example, if that value is /dev/sdf, execute the following commands:

sudo mkdir /mnt/data2
sudo mount /dev/sdf1 /mnt/data2

N.B. If a data volume is already mounted at /mnt/data2, just choose a different mount point within the /mnt directory and update the paths above and below accordingly.

Reverse the command which was used to disable the ec2-user account by executing the following command:

sudo mv /mnt/data2/home/ec2-user/.ssh/disabled_keys /mnt/data2/home/ec2-user/.ssh/authorized_keys

N.B. The paths in the command above assume that the home directory for the ec2-user account is in the standard location. If home directories are in a non-standard location on the EC2 instance, the paths above need to be updated accordingly.

Unmount the volume by executing the following command, where <device>1 is as above:

sudo umount <device>1

Then, detach this volume. In the EC2 Dashboard:

  1. Go back to the browser window which is open to the “Elastic Block Store” menu.
  2. Select this volume.
  3. Under the “Actions” drop-down menu, select “Detach Volume”.

Then, reattach the volume to the EC2 instance on which it was originally attached. In the EC2 Dashboard:

  1. With this volume still selected, under the “Actions” drop-down menu, select “Attach Volume”.
  2. In the resulting pop-up menu, click on the text field labeled “Instance”.
  3. Select the EC2 instance to which this volume was originally attached.
  4. In the “Device” text field, type the value you noted as to where this volume was originally attached. This will normally be /dev/xvda. This will cause the volume to be attached as the root directory. Note that this is not the default device which is preselected by AWS.

Finally, restart the EC2 instance on which the ec2-user account was enabled. To do so, perform the following steps in the EC2 Dashboard:

  1. Go to “Instances” in the left navigation, under the menu of the same name.
  2. Select the EC2 instance on which the ec2-user account was enabled.
  3. Under the “Actions” drop-down menu, go to the “Instance State” submenu and select, “Start”.
  4. A confirmation dialog will appear. Click the “Yes, Start” button.

Once the EC2 instance is ready, you can test to confirm that it is again possible to authenticate to the ec2-user account.

Conclusion

The shared ec2-user account is now disabled on your system. Your system is now more secure. And if you have a compelling reason to enable the ec2-user account again, there’s a way to do it.

–Phil Knerr