Elastic Security Detection Rules

AWS EC2 Serial Console Access Enabled

Last updated 6 days ago on 2026-02-05
Created 6 days ago on 2026-02-05

About

Detects when EC2 Serial Console Access is enabled for an AWS account. The EC2 Serial Console provides direct, text-based access to an instance's serial port, bypassing the network layer entirely. While useful for troubleshooting boot issues or network misconfigurations, enabling serial console access in production environments is rare and potentially dangerous. Adversaries may enable this feature to establish an out-of-band communication channel that evades network-based security monitoring, firewalls, and VPC controls. This access method can be used for persistent backdoor access or to interact with compromised instances without triggering network-based detection mechanisms.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Tactic: Defense EvasionLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples
Administrators may legitimately enable serial console access during troubleshooting of instances with boot issues, network misconfigurations, or SSH access problems. Verify whether the user identity, user agent, and/or source IP should be making changes in your environment. Serial console access enablement by unfamiliar users or from unexpected locations should be investigated. If this is expected behavior for troubleshooting, it can be exempted from the rule, but ensure serial console access is disabled after troubleshooting is complete.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action: "EnableSerialConsoleAccess"
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS EC2 Serial Console Access Enabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).