EnableSerialConsoleAccess
AWS
EnableSerialConsoleAccess
Event
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
Security Context
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- Using remote services for lateral movement allows adversaries to pivot between systems while leveraging legitimate access mechanisms.
Log Source
CloudTrail
Sample Event
Adversarial. Draco enables EC2 Serial Console at the account level. Without an opt-in at the account level, no instance can use the serial console regardless of IAM permissions, so this is the prerequisite step in a lateral-movement chain that ends in SendSerialConsoleSSHPublicKey against a target EC2 instance — bypassing SG rules and bastion-host controls. T1021 (Remote Services) + T1578 (Modify Cloud Compute Infrastructure).
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco" }, "eventTime": "2026-04-15T21:01:47Z", "eventSource": "ec2.amazonaws.com", "eventName": "EnableSerialConsoleAccess", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": null, "responseElements": { "EnableSerialConsoleAccessResponse": { "requestId": "90000000-0000-4000-8000-000100111000", "serialConsoleAccessEnabled": true } }, "requestID": "90000000-0000-4000-8000-000100111000", "eventID": "90000000-0000-4000-8000-000100111001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Lateral Movement Execution
Techniques:
- T1021 — Remote Services — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.