Best Practice for setting passwords for Ubuntu user to restrict access to privileged root access

Cloud instances you can not compare with a regular desktop. Those are servers you connect to using SSH.

If someone gets onto your machine you already lost the fight so a Cloud instance can be an Ubuntu up with a passwordless admin.

Would it be good enough to set a password for the ubuntu user (this seems to ask for a password when doing sudo su)

No need for a password.

or should there be addtional considerations to consider?

SSH Private Keys is what you want. Plus if needed: a location or machine specific lock. Our cloud instances I can connect to from home, or work and nowhere else unless I first get permission to do so.

I also noticed that new lines ubuntu ALL=(ALL) NOPASSWD:ALL gets added if you do a relaunch of the instance from an AMI backup, is this normal behaviour?

GCE/Google does that too. It is (likely) to ensure you always can get into the machine as restoring a backup is something that is done when there is some sort of trouble. If you forget your password your instance that is the only way to get back into it: there is no live session or grub prompt to fall back to. In that case passwordless admin is better.

The ubuntu user and password are merely there so you can do your initial login and configuration of your cloud system. Best practice is to create your own admin account and use your own SSH keys, then disable (or delete; we tend to disable it) the ubuntu user. Other logins should use their own accounts created by an admin. None of them should ever be using the ubuntu user.

For the same reason you do not upgrade a cloud but create a copy of your userdisk and connect it to a new systemdisk.