Standard Operating Procedure for Recovery from sudoers File Corruption via AWS SSM Run Command

Standard Operating Procedure for recovery from sudoers File Corruption via AWS SSM Run Command

PURPOSE

SOP Lists steps for Recovery from sudoers File Corruption via AWS SSM Run Command

Objective

To restore access and fix errors in the /etc/sudoers file on an Amazon EC2 instance where direct login fails due to a misconfigured sudoers file, using AWS Systems Manager (SSM) Run Command.

Scope

This SOP applies to Linux-based EC2 instances that are managed by AWS Systems Manager and are configured with SSM Agent, IAM role permissions, and VPC endpoints as needed.

Wrong mount options or syntax errors

ENTERY CRITERIA

Need to restore access and fix file errors in sudoers

Symptoms

SSH login works but any use of sudo fails.

Errors like:

>>> /etc/sudoers: syntax error near line XX <<<

sudo: parse error in /etc/sudoers near line XX

sudo: no valid sudoers sources found, quitting

sudo: unable to initialize policy plugin

PRE-REQUISITES

EC2 instance must be managed by AWS Systems Manager.

Instance should have SSM Agent running and up-to-date.

Required IAM role with SSM permissions (AmazonSSMManagedInstanceCore) must be attached to the instance.

Network access to SSM endpoints (either via public internet or VPC endpoint).

User must have IAM permissions to use Systems Manager Run Command

STEPS

Recovery Procedure

Step 1: Login to AWS Console

Go to the AWS Management Console.

Navigate to Systems Manager > Run Command.

Step 2: Execute SSM Run Command

Click “Run command”.

Under Command document, select:

AWS-RunShellScript

In the Command parameters section, under Commands, enter the following script:

cp /etc/sudoers /etc/sudoers.bak

echo 'root ALL=(ALL) ALL' > /etc/

sudoerschmod 440 /etc/sudoers

Note: This restores minimal sudo access only for the root user. You can expand this later.

Under Targets, choose Specify instance tags or Manually select instances, then select the affected instance.

Click Run.

Step 3: Validate the Fix

After the command completes, go to Session Manager in Systems Manager.

Start a session to the affected instance.

Once logged in, run:

sudo -l

If you see the sudo command list, the issue is resolved.

Step 4: Restore Proper sudoers Configuration

Edit the sudoers file using visudo:

visudo

Add required users/groups back properly:
Example:

%admin ALL=(ALL) NOPASSWD:ALL

ec2-user ALL=(ALL) NOPASSWD:ALL

Save and exit (in visudo, press Ctrl+X, then Y, then Enter).

Post-Recovery Tasks

Test sudo access for relevant users.

Delete the backup if no longer needed:

rm /etc/sudoers.bak

Preventive Measures

Always edit the sudoers file using visudo.

Test sudo changes on non-production environments.

Enable SSM access on all critical EC2 instances for emergency recovery.

EXIT CRITERIA

EC2 instance up and running without any faults.