Detections
Analytics

Ensure multi-factor authentication is enabled for Google Compute Project Metadata

LOW

Description

Within Google Compute Instances, the functionality for OSLogin controls the ability to use IAM roles for access, including the ability to use two-factor authentication. This setting is configured using the instance metadata and can be configured at the project or instance level. For more information on using the OSLogin functionality, see the GCP documentation.
References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin

Remediation

OSLogin with MFA can either be set at the project or the instance level using metadata. The metadata would use a key enable-oslogin-2fa and value TRUE. To set this, determine whether it needs to be at the project or instance level, then follow the instructions in the GCP documentation (below). It is best to set this at the project level so that it is centrally managed.

In Terraform -

  1. Create a google_compute_project_metadata resource and add a metadata attribute setting enable-oslogin-2fa to true.

References:
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance

Policy Details

Rule Reference ID: AC_GCP_0275
CSP: GCP
Remediation Available: No
Domain: Security Best Practices
Resource: google_compute_project_metadata
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks