Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Enabling OS Login feature ensures that the SSH keys used to connect to VM instances are mapped with Google Cloud IAM users. Revoking access to corresponding IAM users will revoke all the SSH keys associated with these users, therefore it facilitates centralized SSH key pair management, which is extremely useful in handling compromised or stolen SSH key pairs and/or revocation of external/third-party/vendor users.
Important Note: Enabling OS Login for a GCP project disables metadata-based SSH key configurations on all the Google Compute Engine instances available within that project.
Audit
To determine if OS Login is enabled at the Google Cloud Platform (GCP) project level, perform the following actions:
Remediation / Resolution
To enable the OS Login feature at the Google Cloud Platform (GCP) project level, perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Choosing an access method
- Setting up OS Login
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute project-info describe
- gcloud compute instances list
- gcloud compute instances describe
- gcloud compute project-info add-metadata
- gcloud compute instances remove-metadata
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable OS Login for GCP Projects
Risk Level: Low