Ensure that the OS Login feature enabled at the virtual machine instance level is configured with Two-Factor Authentication (2FA) in order to help protect the access to your Google Cloud VM instances. Two-Factor Authentication (also known as Multi-Factor Authentication - MFA) provides an additional layer of security on top of the existing credentials.
When Two-Factor Authentication (2FA) is configured with OS Login, the user (e.g. instance administrator) will have to present a minimum of two separate forms of authorization before its access is granted. Having an 2FA/MFA-protected instance represents an efficient way to safeguard your production and business-critical applications against malicious actors, as attackers would have to compromise at least two different authentication methods in order to gain access to your VM instance, and this reduces significantly the risk of attack.
Note: OS Login feature must be enabled at the instance level in order to use OS Login 2FA.
To determine if OS Login is configured with 2FA at the VM instance level, perform the following operations:
Remediation / Resolution
By requiring more than one mechanism to authenticate to an instance, Two-Factor Authentication/Multi-Factor Authentication protects the user login from attackers exploiting stolen or weak credentials. To configure your production and mission-critical VM instances to use OS Login with Two-Factor Authentication (2FA), perform the following operations:Note: For all VM operating systems except CoreOS, OS Login 2FA changes are applied instantaneously, i.e. you don't have to restart your instance. For CoreOS distributions, you need to reboot or restart the instance for the configuration change to take effect.
- Google Cloud Platform (GCP) Documentation
- Choosing an access method
- Setting up OS Login
- Setting up OS Login with 2-step verification
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use OS Login with 2FA Authentication for VM Instances
Risk level: High