Skip to content

EnableSerialConsoleAccess

AWS

EnableSerialConsoleAccess

service: AWS - EC2
techniques:

Event

Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.

Security Context

  • Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
  • Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.

Log Source

CloudTrail

Sample Event

Adversarial. Draco enables EC2 Serial Console at the account level. Without an opt-in at the account level, no instance can use the serial console regardless of IAM permissions, so this is the prerequisite step in a lateral-movement chain that ends in SendSerialConsoleSSHPublicKey against a target EC2 instance — bypassing SG rules and bastion-host controls. T1021 (Remote Services) + T1578 (Modify Cloud Compute Infrastructure).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco"
},
"eventTime": "2026-04-15T21:01:47Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "EnableSerialConsoleAccess",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": null,
"responseElements": {
"EnableSerialConsoleAccessResponse": {
"requestId": "90000000-0000-4000-8000-000100111000",
"serialConsoleAccessEnabled": true
}
},
"requestID": "90000000-0000-4000-8000-000100111000",
"eventID": "90000000-0000-4000-8000-000100111001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Lateral Movement Execution

Techniques:
  • T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.