Here is what a freshly Ubuntu 16.04 Xenial AWS Machine Image (specifically ami-0181f8d9b6f098ec4) contains.
First and most importantly, only SSH daemon and DHCP client is running:
ubuntu@ip-172-1-2-3$ netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1240/sshd
tcp6 0 0 :::22 :::* LISTEN 1240/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 883/dhclient
Then, let's see what processes are running, leaving out most of the internal kernel processes:
ubuntu@ip-172-1-2-3$ ps axf
PID TTY STAT TIME COMMAND
2 ? S 0:00 [kthreadd]
3 ? S 0:00 \_ [ksoftirqd/0]
4 ? S 0:00 \_ [kworker/0:0]
... ... ... ...
1657 ? S< 0:00 \_ [loop1]
1 ? Ss 0:02 /sbin/init
391 ? Ss 0:00 /lib/systemd/systemd-journald
428 ? Ss 0:00 /sbin/lvmetad -f
459 ? Ss 0:00 /lib/systemd/systemd-udevd
674 ? Ssl 0:00 /lib/systemd/systemd-timesyncd
883 ? Ss 0:00 /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
1032 ? Ss 0:00 /sbin/iscsid
1033 ? S<Ls 0:00 /sbin/iscsid
1041 ? Ss 0:00 /usr/sbin/atd -f
1046 ? Ss 0:00 /lib/systemd/systemd-logind
1055 ? Ss 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
1064 ? Ssl 0:00 /usr/lib/accountsservice/accounts-daemon
1066 ? Ssl 0:00 /usr/sbin/rsyslogd -n
1075 ? Ss 0:00 /usr/sbin/cron -f
1086 ? Ss 0:00 /usr/sbin/acpid
1088 ? Ssl 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
1136 ? Ss 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
1146 ? Ssl 0:00 /usr/lib/policykit-1/polkitd --no-debug
1216 ttyS0 Ss+ 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
1221 tty1 Ss+ 0:00 /sbin/agetty --noclear tty1 linux
1240 ? Ss 0:00 /usr/sbin/sshd -D
1262 ? Ss 0:00 \_ sshd: ubuntu [priv]
1516 ? S 0:00 \_ sshd: ubuntu@pts/0
1520 pts/0 Ss 0:00 \_ -bash
1809 pts/0 R+ 0:00 \_ ps axf
1450 ? Ss 0:00 /lib/systemd/systemd --user
1454 ? S 0:00 \_ (sd-pam)
1529 ? Ssl 0:00 /usr/lib/snapd/snapd
1717 ? Ssl 0:00 /snap/amazon-ssm-agent/295/amazon-ssm-agent
So, except for the hardware management processes, logging, login & acounting, and the SSH connection that connects me to the VM, we have the following:
| Process | Purpose |
|---|---|
| systemd-timesyncd | Time synchonisation (NTP) |
| atd | Scheduler for tasks in the future |
| crond | Scheduler for recurrent tasks |
| polkitd | Controller for interprocess communitation |
| snapd | Low level package management |
| amazon-ssm-agent | Interfacing to the underlying AWS system |
| SSH daemon | Secure Shell access |
With respect to user accounts, we have
ubuntu@ip-172-1-2-3$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
which means that only root and ubuntu are real users that potentially can log in. The only way to login, however, is through SSH, and it is configured so that only public-key authentication is allowed. For both root and ubuntu, the only allowed key is the one that was baked into the image at startup, and any root login with that key will be rejected and referred to login as user ubuntu.
The set of installed packages is also very limited, just enough to install and configure more software when needed, eg.
| Package | Purpose |
|---|---|
| apt | Package manager |
| bash | Shell scripting |
| bsdutils | Standard utilities |
| cryptsetup | Disk encryption |
| curl | Fetch file from the web |
| ftp | FTP client |
| git | Revision control system |
| gnupg | PGP |
| gzip | Zip |
| lxd | Container hypervisor |
| mawk | Text processing |
| nano | Editor |
| python3 | Scripting language |
| rsync | File synchronisation |
| strace | System call tracer |
| sed | Text stream editor |
| tar | Archiver |
| vim | Editor |
| wget | Fetch file from the web |
So, all in all, it seems like Ubuntu Cloud image is close to minimal.
Kernel:
ubuntu@ip-172-1-2-3$ uname -a
Linux ip-192-168-40-105 4.4.0-1070-aws #80-Ubuntu SMP Thu Oct 4 13:56:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux