How do I turn on the EC2 Serial Console, SAC, and boot menu to troubleshoot issues on my Windows EC2 instance?

4 minute read

I want to turn on the Amazon Elastic Compute Cloud (Amazon EC2) Serial Console, Special Admin Console (SAC), and boot menu in my Windows instance to troubleshoot boot, network configuration, and other issues without the instance’s network capabilities.

Short description

To turn on the EC2 Serial Console, the SAC, and the boot menu on your Windows instance, use the AWSSupport-EnableWindowsEC2SerialConsole automation runbook. For instances in the running state managed by AWS Systems Manager, the runbook runs a Systems Manager Run Command PowerShell script. This script turns on the SAC and boot menu. For instances in the stopped state or not managed by Systems Manager, the runbook uses the AWSSupport-StartEC2RescueWorkflow automation workflow. This workflow creates a temporary EC2 instance to perform changes offline.

Resolution

Prerequisites

Make sure that your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see Required IAM permissions in AWSSupport-EnableWindowsEC2SerialConsole.

Important

If you turn on SAC, then the EC2 services that rely on password retrieval don't work from the Amazon EC2 console. For more information, see Use SAC to troubleshoot your Windows instance.
To configure access to the serial console, you must grant serial console access at the account level. Then, configure IAM policies to grant access to your users. You must also configure a password-based user on every instance. For more information see, Configure access to the EC2 Serial Console.
For information on how to determine if the serial console is turned on in your account, see View account access status to the serial console.
Serial console access is supported only on virtualized instances built on the Nitro System.

To use the runbook, complete the following steps:

Navigate to the AWSSupport-EnableWindowsEC2SerialConsole in the Systems Manager console.
Choose Execute automation.
For the input parameters, enter the following values:
- InstanceId (Required): The ID of EC2 instance.
- AutomationAssumeRole (Optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If a role isn't specified, then Systems Manager Automation uses the permissions of the user that starts this runbook.
- HelperInstanceType (Conditional): The type of Amazon EC2 instance that the runbook provisions to configure EC2 Serial Console access for an offline instance.
- HelperInstanceProfileName (Conditional): The name of an existing IAM instance profile for the helper instance. If you turn on SAC and boot menu on an instance in the stopped state, or isn't managed by Systems Manager, then this is required. If an IAM instance profile isn't specified, then the automation creates one for you.
- SubnetId (Conditional): The subnet ID for the helper instance. By default, the automation uses the same subnet where the provided instance resides.
- Important: If the target instance is in the stopped state or isn't managed by Systems Manager, then a custom subnet must meet the following requirements:
  Must be in the same Availability Zone as the InstanceId.
  Must allow access to the Systems Manager endpoints.
- CreateInstanceBackupBeforeScriptExecution (Optional): Choose True to create an Amazon Machine Image (AMI) backup of the EC2 instance before the SAC and boot menu are turned on. The AMI persists after the automation completes. It's your responsibility to secure access to the AMI, or to delete it.
- BackupAmazonMachineImagePrefix (Conditional): A prefix for the AMI that's created if the CreateInstanceBackupBeforeScriptExecution parameter is set to True.
Choose Execute.
Review detailed results in the Outputs section. The following are the sections contained in the output:
- EnableSACAndBootMenu.Output: Output of command execution in EnableSACAndBootMenu step.
- GetExecutionDetails.OfflineScriptOutput: Output of offline script executed in the RunAutomationToInjectOfflineScriptForEnablingSACAndBootMenu step.
- GetExecutionDetails.BackupBeforeScriptExecution: Image ID of the backup AMI taken if the CreateInstanceBackupBeforeScriptExecution input parameter is True.

Related information

AWS Support Automation Workflows (SAW)

Run an automation

Setting up Automation

EC2 Serial Console for Windows instances

Topics

Compute End User Computing

Relevant content

EC2 error This account is not authorized to use the EC2 serial console error, Instance reachability check failed
rePost-User-6616920
asked a year ago
EC2 Serial Console - 500 Server Error
Marcos Meira
asked 2 years ago
ec2 serial console utf8
Peter Morrow
asked 2 years ago
How to enable SAC with Cloud Shell
AWS-User-6176623
asked 2 years ago
This instance type is not supported for the EC2 serial console
sakshijain25892
asked 3 years ago
How do I use the Amazon EC2 serial console to troubleshoot my Windows instance?
AWS OFFICIALUpdated 5 months ago
How do I turn on and configure enhanced networking on my EC2 instances?
AWS OFFICIALUpdated a year ago
How can I configure access to the EC2 Serial Console of an unreachable or inaccessible Linux instance?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot Microsoft SQL issues on my EC2 Windows instance?
AWS OFFICIALUpdated 8 months ago
Announcing the new Applications widget on AWS Console Home
EXPERT
Grace Kitzmiller
published a year ago