⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Google → 📁 GCE

🛡️ Google GCE Instance OS Login is not enabled🟢

• Contextual name: 🛡️ Instance OS Login is not enabled🟢
• ID: /ce/ca/google/compute-engine/instance-oslogin
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Instance
  • 🔌 Google GCE Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable OS Login for GCP Projects

Description

Open File

Description

OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Rationale

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

Impact

Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.

Audit

From Google Cloud Console

1. Go to the VM compute metadata page by visiting https://console.cloud.google.com/compute/metadata.
2. Ensure that key enable-oslogin is present with value set to TRUE.
3. Because instances can override project settings, ensure that no instance has custom metadata with key enable-oslogin and value FALSE.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.
2. Click Edit.
3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
4. Click Save to apply the changes.
5. For every instance that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.
6. Click the name of the instance on which you want to remove the metadata value.
7. At the top of the instance details page, click Edit to edit the instance settings.
8. Under Custom metadata, remove any entry with key enable-oslogin and the value is FALSE
9. At the bottom of the instance details page, click Save to apply your changes to the instance.

From Google Cloud CLI

1. Configure oslogin on the project:

        gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

2. Remove instance metadata that overrides the project setting.

        gcloud compute instances remove-metadata <INSTANCE_NAME> --keys=enable-oslogin

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 4.4 Ensure oslogin is enabled for a Project - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 4.4 Ensure Oslogin Is Enabled for a Project - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			55		no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	35		no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		35		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	30		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			118		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			81		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			38		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			111		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	34		no data
💼 SOC 2 → 💼 CC6.1-4 Identifies and Authenticates Users		4	6		no data
💼 SOC 2 → 💼 CC6.1-6 Manages Points of Access		5	7		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24		no data
💼 SOC 2 → 💼 CC6.1-9 Manages Credentials for Infrastructure and Software		3	4		no data