Ensure that "Require OS Login" constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.
By default, the OS Login feature is disabled for all the Google Cloud Platform (GCP) projects created in your organization. Enforcing "Require OS Login" organization policy will ensure that the SSH keys used to connect to the virtual machine instances within your GCP project are mapped with Cloud IAM users. Revoking access to corresponding IAM users will revoke all the SSH keys associated with these users, therefore it facilitates centralized SSH key pair management, which is extremely useful in handling compromised or stolen SSH key pairs and/or revocation of external/third-party/vendor users.
Audit
To determine if "Require OS Login" policy is enforced at the GCP organization level, perform the following operations:
Remediation / Resolution
To enforce the "Require OS Login" policy at the Google Cloud Platform (GCP) organization level, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Organization policy constraints
- Using constraints
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce