Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Of course you can remove the ubuntu user, just make sure that the new user you created is able to sudo, etc..
All in all it doesn't really matter what your users are called. Services like cloudwatch also don't log into your instance to gain vitals. The instance is a virtual environment, what Amazon exposes is available to them from the host system.
Also, I don't see this user as a security hole -- by contrast, it was added to the Ubuntu AMIs because every other AMI allows you to login with root. That's more of a security issue. ;-)
Further more, the account is protected with a private key so I don't see an issue here unless your private key is compromised. In which case you should generate a new pair on the AWS console.
If you really want another login, you could try to rename it: usermod -l NEWNAME ubuntu
Best Answer
According to this, CloudInit should support custom directives to create new users including overriding the default "ubuntu" user. I've tried it following examples, but haven't been able to get it to work.
However, since CloudInit supports user-data scripts and you can do just about anything in a script, I prefer to use standard commands rather than try to learn some new custom directives.
Here's how I change the default username from "ubuntu" in a user-data script. This example uses the new username "newuser" which you should change to your preference:
You can add on to this user-data script to do any other initialization and configuration needed on your instances.
Update: I've written an expanded article describing the steps for using both a user-data script and how to do it with CloudInit on recent versions of Ubuntu: http://alestic.com/2014/01/ec2-change-username