Skip to main content

๐Ÿ›ก๏ธ Google GCE Project OS Login is not enabled๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Project OS Login is not enabled๐ŸŸข
  • ID: /ce/ca/google/compute-engine/instance-oslogin
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Statsโ€‹

not available

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

This policy checks whether OS Login is enabled at the Google Cloud project level for projects with running Google Compute Engine instances. OS Login links SSH access to Cloud IAM identities and reduces reliance on SSH keys stored in project or instance metadata.

Rationaleโ€‹

Enabling OS Login centralizes SSH access management through IAM. When access is removed from an IAM user, the associated SSH access is also removed. This helps manage SSH access consistently and reduces the operational risk of unmanaged or stale SSH keys.

Project-level OS Login can be overridden by instance metadata. A running instance that sets enable-oslogin to FALSE disables the project-level control for that instance.

Impactโ€‹

Enabling OS Login at the project level disables metadata-based SSH key configurations for instances in the project. If OS Login is later disabled, SSH keys configured in project or instance metadata are restored.

Auditโ€‹

This policy flags a Google Project as INCOMPLIANT when both of the following conditions are met:

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud Consoleโ€‹

  1. Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.
  2. Click Edit.
  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
  4. Click Save to apply the changes.
  5. For every instance that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.
  6. Click the name of the instance on which you want to remove the metadata value.
  7. At the top of the instance details page, click Edit to edit the instance settings.
  8. Under Custom metadata, remove any entry with key enable-oslogin and the value is FALSE
  9. At the bottom of the instance details page, click Save to apply your changes to the instance.

From Google Cloud CLIโ€‹

  1. Configure oslogin on the project:

    gcloud compute project-info add-metadata \
    --metadata enable-oslogin=TRUE
  2. Remove instance metadata that overrides the project setting.

    gcloud compute instances remove-metadata {{instance-name}} \

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.2.0 โ†’ ๐Ÿ’ผ 4.4 Ensure oslogin is enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v4.0.0 โ†’ ๐Ÿ’ผ 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ CIS GCP v5.0.0 โ†’ ๐Ÿ’ผ 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access61no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)10859no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)9no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)959no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.15 Access control1532no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events105no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization47no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-2 Account Management132158no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-4 Identifies and Authenticates Users46no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-6 Manages Points of Access57no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-8 Manages Identification and Authentication1825no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-9 Manages Credentials for Infrastructure and Software34no data