Ensure that "Require OS Login" constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.
By default, the OS Login feature is disabled for all the Google Cloud Platform (GCP) projects created in your organization. Enforcing "Require OS Login" organization policy will ensure that the SSH keys used to connect to the virtual machine instances within your GCP project are mapped with Cloud IAM users. Revoking access to corresponding IAM users will revoke all the SSH keys associated with these users, therefore it facilitates centralized SSH key pair management, which is extremely useful in handling compromised or stolen SSH key pairs and/or revocation of external/third-party/vendor users.
To determine if "Require OS Login" policy is enforced at the GCP organization level, perform the following operations:
Remediation / Resolution
To enforce the "Require OS Login" policy at the Google Cloud Platform (GCP) organization level, perform the following operations:
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Require OS Login
Risk level: Medium