π Google GCE Instance Enable Connecting to Serial Ports is not disabled π’
- Contextual name: π Instance Enable Connecting to Serial Ports is not disabled π’
- ID:
/ce/ca/google/compute-engine/instance-serial-port-connection - Located in: π Google GCE
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.
If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. Therefore interactive serial console support should be disabled.
Rationaleβ
A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts. Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
The interactive serial console does not support IP-based access restrictions such as IP whitelists. If you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address. This allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.
... see more
Remediationβ
Remediationβ
From Google Cloud CLIβ
- Login to Google Cloud console
- Go to Computer Engine
- Go to VM instances
- Click on the Specific VM
- Click
EDIT- Unselect
Enable connecting to serial portsbelowRemote accessblock.- Click
SaveFrom Google Cloud Consoleβ
Use the below command to disable
gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=falseor
gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=0
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 4.5 Ensure βEnable Connecting to Serial Portsβ Is Not Enabled for VM Instance - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 43 |