AWS EC2 Serial Console Access Enabled

  1[metadata]
  2creation_date = "2026/02/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when EC2 Serial Console Access is enabled for an AWS account. The EC2 Serial Console provides direct, text-based
 11access to an instance's serial port, bypassing the network layer entirely. While useful for troubleshooting boot issues
 12or network misconfigurations, enabling serial console access in production environments is rare and potentially
 13dangerous. Adversaries may enable this feature to establish an out-of-band communication channel that evades
 14network-based security monitoring, firewalls, and VPC controls. This access method can be used for persistent backdoor
 15access or to interact with compromised instances without triggering network-based detection mechanisms.
 16"""
 17false_positives = [
 18    """
 19    Administrators may legitimately enable serial console access during troubleshooting of instances with boot issues,
 20    network misconfigurations, or SSH access problems. Verify whether the user identity, user agent, and/or source IP
 21    should be making changes in your environment. Serial console access enablement by unfamiliar users or from
 22    unexpected locations should be investigated. If this is expected behavior for troubleshooting, it can be exempted
 23    from the rule, but ensure serial console access is disabled after troubleshooting is complete.
 24    """,
 25]
 26from = "now-6m"
 27index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "AWS EC2 Serial Console Access Enabled"
 31note = """## Triage and analysis
 32
 33### Investigating AWS EC2 Serial Console Access Enabled
 34
 35The EC2 Serial Console provides a direct connection to an instance's serial port, allowing access even when network connectivity is unavailable. This feature operates completely outside the network layer, meaning traffic does not traverse VPCs, security groups, NACLs, or any network-based monitoring tools. Enabling serial console access at the account level is a prerequisite for using this feature on individual instances.
 36
 37This rule detects successful `EnableSerialConsoleAccess` API calls, which may indicate an adversary attempting to establish an out-of-band access channel. In most production environments, serial console access should remain disabled unless actively troubleshooting specific issues.
 38
 39### Possible investigation steps
 40
 41- **Identify the actor**
 42  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who enabled serial console access.
 43  - Verify whether this principal has a legitimate need for troubleshooting access.
 44
 45- **Review request context**
 46  - Check `source.ip`, `source.geo`, and `user_agent.original` for anomalous access patterns.
 47  - Determine whether this action occurred during normal business hours or maintenance windows.
 48
 49- **Check for follow-on activity**
 50  - Search for `SendSerialConsoleSSHPublicKey` API calls, which indicate actual usage of the serial console.
 51  - Review whether any EC2 instances show serial console sessions after this enablement.
 52
 53- **Correlate with other suspicious activity**
 54  - Look for preceding credential theft indicators (e.g., `GetSecretValue`, `CreateAccessKey`).
 55  - Check for other defense evasion actions such as GuardDuty modifications, CloudTrail changes, or security group modifications.
 56
 57- **Verify business justification**
 58  - Confirm with the identified user or team whether there was a legitimate troubleshooting need.
 59  - Check for related incident tickets or change requests.
 60
 61### False positive analysis
 62
 63- **Legitimate troubleshooting**
 64  - Serial console may be enabled temporarily to troubleshoot instances with SSH access issues or boot failures.
 65  - Verify this corresponds to known incidents and ensure it was disabled afterward.
 66
 67- **Automated infrastructure provisioning**
 68  - Some IaC tools may enable serial console access during instance setup. Validate against CI/CD logs.
 69
 70### Response and remediation
 71
 72- **Immediate containment**
 73  - If unauthorized, immediately disable serial console access using `DisableSerialConsoleAccess`.
 74  - Review any instances that may have been accessed via serial console.
 75
 76- **Investigation**
 77  - Audit CloudTrail for all serial console-related API calls (`EnableSerialConsoleAccess`, `DisableSerialConsoleAccess`, `SendSerialConsoleSSHPublicKey`, `GetSerialConsoleAccessStatus`).
 78  - Check for any data exfiltration or lateral movement that occurred during the enabled period.
 79
 80- **Hardening**
 81  - Restrict `ec2:EnableSerialConsoleAccess` permissions to a limited set of administrative roles.
 82  - Implement AWS Config rules or Security Hub controls to alert on serial console access state changes.
 83  - Consider using SCPs to prevent serial console enablement in production accounts.
 84
 85### Additional information
 86- **[AWS Documentation: EC2 Serial Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html)**
 87- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 88- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 89"""
 90references = [
 91    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableSerialConsoleAccess.html",
 92    "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html",
 93    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
 94]
 95risk_score = 73
 96rule_id = "e9fe3645-f588-43d6-99f5-437b3ef56f25"
 97severity = "high"
 98tags = [
 99    "Domain: Cloud",
100    "Data Source: AWS",
101    "Data Source: Amazon Web Services",
102    "Data Source: AWS EC2",
103    "Tactic: Defense Evasion",
104    "Resources: Investigation Guide",
105]
106timestamp_override = "event.ingested"
107type = "query"
108
109query = '''
110event.dataset: "aws.cloudtrail"
111    and event.provider: "ec2.amazonaws.com"
112    and event.action: "EnableSerialConsoleAccess"
113    and event.outcome: "success"
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1562"
121name = "Impair Defenses"
122reference = "https://attack.mitre.org/techniques/T1562/"
123[[rule.threat.technique.subtechnique]]
124id = "T1562.001"
125name = "Disable or Modify Tools"
126reference = "https://attack.mitre.org/techniques/T1562/001/"
127
128
129
130[rule.threat.tactic]
131id = "TA0005"
132name = "Defense Evasion"
133reference = "https://attack.mitre.org/tactics/TA0005/"
134
135[rule.investigation_fields]
136field_names = [
137    "@timestamp",
138    "user.name",
139    "user_agent.original",
140    "source.ip",
141    "aws.cloudtrail.user_identity.arn",
142    "aws.cloudtrail.user_identity.type",
143    "aws.cloudtrail.user_identity.access_key_id",
144    "event.action",
145    "event.outcome",
146    "cloud.account.id",
147    "cloud.region",
148    "aws.cloudtrail.response_elements",
149]