Detections
Analytics

Ensure default setting for OSLogin is not overridden by Google Compute Instance

LOW

Description

Within Google Compute Instances, the functionality for OSLogin controls the ability to use IAM roles for access. This setting is configured using the instance metadata and can be configured at the project or instance level. For more information on using the OSLogin functionality, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin

Remediation

OSLogin can either be set at the project or the instance level using metadata. The metadata would use a key enable-oslogin and value TRUE. To set this, determine whether it needs to be at the project or instance level, then follow the instructions in the GCP documentation (below). It is best to set this at the project level so that it is centrally managed.

In Terraform -

  1. Create a google_project_service resource set the service field to oslogin.googleapis.com.
  2. Ensure that google_compute_instance resources don't have metadata attribute setting enable-oslogin to false.

References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance

Policy Details

Rule Reference ID: AC_GCP_0038
CSP: GCP
Remediation Available: No
Domain: Identity and Access Management
Resource: google_compute_instance
Resource Category: Compute
Resource Type: Virtual Machine

Frameworks