If you use standard Ubuntu images on EC2 but don't use the ubuntu user, you may have tried to revoke its sudo permissions by removing it from the sudo group. Have you tested that, though? You may be surprised to learn that it doesn't work. Why not? Simple: the cloud-init package adds a file in /etc/sudoers.d that explicitly gives the ubuntu user sudo access. You probably don't need cloud-init after booting the instance for the first time (unless you plan on making an AMI out of it), so you can fully defang the ubuntu user by purging cloud-init.
UPDATE: You will also need to delete the file in /etc/sudoers.d. Apparently, purging cloud-init doesn't get rid of it, even though dpkg identifies it as belonging to the cloud-init package. WTF?