ec2 serial console is an AWS feature providing out-of-band, text-based access to an EC2 instance’s serial port, enabling boot and network troubleshooting when SSH, RDP, or the system console are unreachable.
# Enable serial console access at the account level (required once per region)
aws ec2 enable-serial-console-access --region us-east-1Use the serial console when your instance is unreachable via SSH or RDP to diagnose boot failures, kernel panics, or network issues. The following sections cover enabling, configuring with GRUB, and connecting via CLI or console.
ec2 serial console Syntax Reference
# Associate an SSH public key with an instance for serial console authentication
aws ec2-instance-connect send-serial-console-ssh-public-key
--instance-id i-1234567890abcdef0
--serial-port 0
--ssh-public-key file://my-key.pub
# Connect via SSH through the serial console (after key association)
ssh -o ProxyCommand='aws ec2-instance-connect open-serial-console-port --instance-id i-1234567890abcdef0 --serial-port 0 --local-port 8000'
ec2-user@localhost -p 8000Tested on AWS CLI v2.9.0 and Python 3.9 with IAM permissions: ec2:EnableSerialConsoleAccess, ec2:SendSerialConsoleSSHPublicKey.
ec2 serial console Rapid Reference Cheat Sheet
| Action | CLI Command / Console Path | Provider | Key Flag / Option | Impact / Result |
|---|---|---|---|---|
| Enable at account level | aws ec2 enable-serial-console-access |
AWS CLI | --region |
Permits serial console for all instances in the region |
| Grant IAM permission | Inline/Managed policy with ec2:SendSerialConsoleSSHPublicKey |
AWS IAM | ec2:SerialConsolePort condition key |
Controls which ports a user can access |
| Send SSH public key | aws ec2-instance-connect send-serial-console-ssh-public-key |
AWS CLI | --serial-port, --ssh-public-key |
Authorizes key for one-time SSH login via serial console |
| Connect via Console | EC2 Console → Select instance → Connect → Serial console | AWS Console | N/A | Opens browser-based terminal session |
| Check instance GRUB config | grep console /boot/grub/grub.cfg |
Linux (via rescue) | N/A | Verifies kernel serial console parameters (console=ttyS0,115200n8) |
| Open serial console port (SSH tunnel) | aws ec2-instance-connect open-serial-console-port |
AWS CLI | --local-port |
Binds local port to instance serial port for SSH connection |
Advanced Implementation & Parameters
IAM Policies for Granular Control
To restrict serial console access by instance or port, use IAM condition keys. Below is a policy that allows sending a public key only to serial port 0 on a specific instance.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-0abcdef",
"Condition": {
"NumericEquals": {"ec2:SerialConsolePort": "0"}
}
}]
}GRUB Configuration for Serial Console Access
For the serial console to display boot messages and allow GRUB interaction, the kernel must be booted with serial console parameters. Modify /etc/default/grub and regenerate the configuration.
# On the impaired instance or its root volume mounted on a rescue instance:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
GRUB_TERMINAL="console serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
# Update GRUB (Ubuntu/Debian)
update-grub
# Update GRUB (RHEL/CentOS)
grub2-mkconfig -o /boot/grub2/grub.cfgThe parameters above enable both physical (tty0) and serial (ttyS0) consoles. Without this, the serial console may show a black screen after instance boot.
Using a Rescue Instance to Modify the Root Volume
When an instance is unreachable, you can attach its root volume to a healthy rescue instance in the same Availability Zone.
# Stop the impaired instance, detach root volume, attach to rescue instance
aws ec2 stop-instances --instance-ids i-xxxxxxxx
aws ec2 detach-volume --volume-id vol-xxxxxxxx
aws ec2 attach-volume --volume-id vol-xxxxxxxx --instance-id i-rescue --device /dev/xvdf
# Mount the volume and make GRUB/IAM changes
sudo mkdir /mnt/rescue
sudo mount /dev/xvdf1 /mnt/rescue
sudo chroot /mnt/rescue
# ... edit /etc/default/grub, run update-grub
exit
sudo umount /mnt/rescue
aws ec2 detach-volume --volume-id vol-xxxxxxxx
aws ec2 attach-volume --volume-id vol-xxxxxxxx --instance-id i-impaired --device /dev/xvda
aws ec2 start-instances --instance-ids i-impairedError Resolution & Troubleshooting
| Error / Symptom | Root Cause | Remediation |
|---|---|---|
| Black screen after connecting | GRUB lacks serial console kernel parameters (console=ttyS0) |
Attach root volume to rescue instance, edit /etc/default/grub, run update-grub, reattach |
You are not authorized to perform this operation |
IAM policy missing ec2:SendSerialConsoleSSHPublicKey |
Add the action with appropriate resource and condition keys |
Serial console is not enabled at the account level |
Account-level serial console access disabled | Run aws ec2 enable-serial-console-access in the target region |
EXPERT boot error |
GRUB menu entry has EXPERT flag causing interactive pause |
Remove EXPERT from GRUB_CMDLINE_LINUX or set GRUB_HIDDEN_TIMEOUT=0 |
| SSH connection refused on tunnel port | SSH public key not yet sent to instance; or instance OS not accepting SSH on that port | Verify send-serial-console-ssh-public-key succeeded; check sshd_config allows root login |
Production-Grade Implementation
- Enable only when needed: Use AWS Config rules to detect if serial console access is enabled at the account level and enforce a policy to disable it by default, enabling only for troubleshooting via a change request.
- Least-privilege IAM: Restrict
ec2:SendSerialConsoleSSHPublicKeyto specific instances and ports using condition keys. Never allow*on serial console actions in production accounts. - Automated remediation: Use AWS Systems Manager Automation documents to attach a root volume, modify GRUB, and reboot the impaired instance, reducing manual rescue time.
- Audit serial console use: Enable AWS CloudTrail to log all
SendSerialConsoleSSHPublicKeyandOpenSerialConsolePortevents. Set up alerts for anomalous use. - Use dedicated SSH keys: Generate short-lived SSH keys for serial console sessions and never reuse production SSH keys.
- Test GRUB changes in a staging environment before applying to production instances, especially when using automated rescue workflows.
EC2 Serial Console is a lifeline for unreachable instances; configure it proactively with tight IAM controls and regular validation of GRUB settings to avoid black-screen scenarios during critical outages.
Frequently Asked Questions
What is the difference between ec2-instance-connect and ec2-serial-console?
Answer: EC2 Instance Connect injects SSH keys for one-time use over the network; the Serial Console provides persistent, out-of-band terminal access through the hypervisor, independent of network or SSH daemon status. Serial Console does not require networking or SSH daemon. It works through the hypervisor, enabling kernel debugging, boot recovery, and troubleshooting without network connectivity. Instance Connect relies on network reachability and port 22.
When should I use the --enable-serial-console flag?
Answer: Use --enable-serial-console-access at the account level when you need out-of-band access to all instances in a region for troubleshooting boot or network issues. Enable per-region with:
aws ec2 --region us-east-1 enable-serial-console-accessPer-instance granular control is not possible; the flag controls the entire region. Verify status with:
aws ec2 get-serial-console-access-status --region us-east-1How do I fix “SerialConsoleAccessDisabled” error when connecting to an instance?
Answer: Enable serial console access at the account level using enable-serial-console-access for the instance’s region, then grant IAM permissions. If the error persists, confirm that the instance supports serial console (only t2, t3, m5, c5, r5 families or later). Also ensure your user has this IAM policy:
aws iam attach-user-policy --user-name MyUser --policy-arn arn:aws:iam::aws:policy/AmazonEC2SerialConsoleAccessDoes the EC2 Serial Console work on Nitro-based instances with non-AWS Linux distributions?
Answer: Yes, it works with any Nitro-based instance (all current-gen) and any operating system that supports serial console over the AWS hypervisor. Compatibility requires the instance to have a serial port exposed. For Linux, ensure getty or agetty listens on ttyS0. For Windows, enable Emergency Management Services (EMS). Verify with:
sudo systemctl status serial-getty@ttyS0.serviceWhat is the fastest way to connect to an EC2 Serial Console without interactive mouse clicks?
Answer: Use the AWS CLI with aws ec2 get-serial-console-screenshot for one-shot state, or aws ec2 send-serial-console-ssh-public-key plus direct SSH. For immediate non-interactive boot diagnostics:
aws ec2 get-serial-console-screenshot --instance-id i-1234567890abcdef0 --output textFor persistent interactive access, upload your SSH key once and connect:
ssh -o "IdentitiesOnly=yes" -i /path/private_key ec2-user@serial-console-ec2This avoids AWS Console latency.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.