Ensure oslogin is enabled for a Virtual Machine

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated ssh key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

Risk Level: Medium
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.04
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should not have metadata.items contain [ key='enable-oslogin' and value regexMatch /FALSE/i ]

REMEDIATION

From Portal

  1. Go to the VM instances page.
  2. Click the name of the instance on which you want to set the metadata value.
  3. At the top of the instance details page, click Edit to edit the instance settings.
  4. Under Custom metadata, add a metadata entry where the key is enable-oslogin and the value is TRUE.
  5. At the bottom of the instance details page, click Save to apply your changes to the instance.

From TF
Set the field 'enable-oslogin' to be equal to 'ture':

resource 'google_compute_instance' 'default' {
	...
	metadata {
		enable-oslogin = true
	}
}

From Command Line
Run

gcloud compute instances add-metadata INSTANCE_NAME --metadata enable-oslogin=TRUE --zone ZONE_OF_INSTANCE

References

  1. https://cloud.google.com/compute/docs/storing-retrieving-metadata
  2. https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management