Detections
Analytics

Ensure OSLogin is enabled for centralized SSH key pair management using Google Project

MEDIUM

Description

Within Google Compute Instances, the functionality for OSLogin controls the ability to use IAM roles for access. This setting is configured using the instance metadata and can be configured at the project or instance level. For more information on using the OSLogin functionality, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin

Remediation

OSLogin can either be set at the project or the instance level using metadata. The metadata would use a key enable-oslogin and value TRUE. To set this, determine whether it needs to be at the project or instance level, then follow the instructions in the GCP documentation (below).

In Terraform -

  1. Create a google_project_service resource set the service field to oslogin.googleapis.com.

References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service

Policy Details

Rule Reference ID: AC_GCP_0274
CSP: GCP
Remediation Available: Yes
Domain: Identity and Access Management
Resource: google_project_service
Resource Category: Management
Resource Type: Project

Frameworks