Google CloudOverview
Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Rationale
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
Impact
Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.
Remediation guidance
Using Google Cloud Console
- Go to the VM compute metadata page using https://console.cloud.google.com/compute/metadata
- Click
EDIT - Add a metadata entry where the key is
enable-osloginand the value isTRUE - Click
SAVEto apply the changes - For every instance that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.
- Click the name of the instance from which you want to remove the metadata value
- At the top of the instance details page, click
EDITto edit the instance settings - Under
Custom metadata, remove any entry with the keyenable-osloginand the valueFALSE - At the bottom of the instance details page, click
SAVEto apply your changes to the instance
Using Google Cloud CLI
- Configure oslogin on the project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
- Remove instance metadata that overrides the project setting:
gcloud compute instances remove-metadata <instanceName> --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.
Default Value
By default, the parameter enable-oslogin is not set, which is equivalent to setting it to FALSE.
References
- https://cloud.google.com/compute/docs/instances/managing-instance-access
- https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin
- https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata
- https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication
Notes
- In order to use osLogin, instances using Custom Images must have the latest version of the Linux Guest Environment installed. The following image families do not yet support OS Login:
Project cos-cloud (Container-Optimized OS) image family cos-stable
All project coreos-cloud (CoreOS) image families
Project suse-cloud (SLES) image family sles-11
All Windows Server and SQL Server image families
- Project enable-oslogin can be overridden by setting the enable-oslogin parameter to an instance metadata individually.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Oslogin is enabled for a Project
Connectors
Covered asset types
Expected check: eq []
projects(where:{hasCommonInstanceMetadataItem_SOME:{key:"os-login",value:"false"}}){...AssetFragment}
