GCP Projects Have OS Login Disabled

This policy identifies GCP Projects which have OS Login disabled. Enabling OS Login ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like a response to compromised SSH key pairs.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Projects have OS Login disabled.
JSON Query:
$.resource[*].google_compute_project_metadata_item.[*].[*].[*].key exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].key == enable-oslogin and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value == FALSE
Recommendation:
Recommended solution to enable OS Login in Kubernetes Engine Clusters.
Ensure that GCP Kubernetes Engine Clusters have OS Login enabled. Please make sure that the template, "oslogin" have "value" set to "TRUE".
For example:
"google_compute_project_metadata_item": [ { "oslogin": [ { "key": "enable-oslogin", "project": "test", "value": "TRUE" } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Computer Engine (Left Panel).
  3. Go to the Metadata.
  4. Click on Edit button.
  5. Click on Add item, Add a metadata entry where the key is 'enable-oslogin' and the value is 'TRUE'.
  6. Click on Save to apply the changes.

Compliance

There are 5 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • CCPA 2018

Recommended For You