Enable 2FA for VM Instances using OS Login

Ensure that 2-factor authentication is enabled for Virtual Machine instances using OS Login. This enhances the security of VM Instances by adding an extra layer of authentication.

Risk Level: Medium
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.16
Covered by Spectral: No
Category: Compute


VMInstance where metadata.items contain [ key = 'enable-oslogin' and value like 'true' ] should have metadata.items contain [ key = 'enable-oslogin-2fa' and value like 'true' ]


From Portal

  1. Go to 'VM Instances' in the Google Cloud Console.
  2. Select the VM Instance you want to modify.
  3. Go to 'Edit'.
  4. Scroll down to 'Management' -> 'Metadata'.
  5. Click 'Add item'.
  6. Enter 'enable-oslogin-2fa' in the 'Key' field and 'true' in the 'Value' field.
  7. click 'Save'.

From TF

resource "google_compute_instance" "default" {
	name = "instance_name"
	machine_type = "n1-standard-1"
	metadata = {
		enable-oslogin = "TRUE"
		enable-oslogin-2fa = "TRUE"

From Command Line
run the following command:

gcloud compute instances add-metadata INSTANCE_NAME --metadata enable-oslogin-2fa=TRUE


  1. https://cloud.google.com/compute/docs/oslogin
  2. https://cloud.google.com/compute/docs/oslogin/set-up-oslogin

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices