Enable OS Login for GCP Projects

Risk Level: Low (generally tolerable level of risk)

Rule ID: ComputeEngine-010

Ensure that the OS Login feature is enabled at the Google Cloud Platform (GCP) project level in order to provide you with centralized and automated SSH key pair management.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Enabling OS Login feature ensures that the SSH keys used to connect to VM instances are mapped with Google Cloud IAM users. Revoking access to corresponding IAM users will revoke all the SSH keys associated with these users, therefore it facilitates centralized SSH key pair management, which is extremely useful in handling compromised or stolen SSH key pairs and/or revocation of external/third-party/vendor users.

Important Note: Enabling OS Login for a GCP project disables metadata-based SSH key configurations on all the Google Compute Engine instances available within that project.

Audit

To determine if OS Login is enabled at the Google Cloud Platform (GCP) project level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select Metadata to access the metadata available for the virtual machine (VM) instances provisioned within the selected project.

05 Select the Metadata tab and check for any metadata key pair with the name enable-oslogin. If there is no metadata key named enable-oslogin or the enable-oslogin key exists but the key value is set to FALSE, the OS Login feature is not enabled at the Google Cloud Platform (GCP) project level.

06 Because VM instances can override GCP project settings, ensure there are no instances with enable-oslogin key set to FALSE within the selected project. In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

07 Click on the name of the instance that you want to examine.

08 Select the Details tab to access the instance configuration details and check the Custom metadata section for a key pair with the name enable-oslogin. If there is no custom metadata key named enable-oslogin, then the VM will inherit the project-level settings. If the enable-oslogin key exists but the key value is set to FALSE, the OS Login feature is not enabled for the selected Google Compute Engine instance.

09 Repeat step no. 7 and 8 for each virtual machine instance created within the selected project.

10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-ml-custom-project-112233

03 Run compute project-info describe command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the metadata items associated with the selected project:

gcloud compute project-info describe
	--project cc-web-stack-project-123123
	--format="json(commonInstanceMetadata.items)"

04 The command output should return the requested GCP project metadata items:

{
  "commonInstanceMetadata": {
    "items": [
      {
        "key": "enable-oslogin",
        "value": "FALSE"
      },
      {
        "key": "ssh-keys",
        "value": "instance-admin:ssh-rsa ... \"expireOn\":\"2020-05-12T08:10:40+0000\"}"
      }
    ]
  }
}

If the compute project-info describe command output does not return any metadata items with the key name set to "enable-oslogin", or the "enable-oslogin" item exists but the item value is set to "FALSE", as shown in the output example above, the OS Login feature is not enabled at the Google Cloud Platform (GCP) project level.

05 Because VM instances can override GCP project settings, ensure there are no instances with "enable-oslogin" metadata key set to "FALSE" within the selected project. Run compute instances list command (Windows/macOS/Linux) using the ID of the verified GCP project as identifier parameter and custom filtering to describe the name and zone for each VM instance provisioned in the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

06 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-backend-vm-instance    us-central1-a
cc-frontend-vm-instance   us-central1-a

07 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the metadata items created for the selected virtual machine (VM) instance:

gcloud compute instances describe cc-backend-vm-instance
	--zone us-central1-a
	--format="json(metadata.items)"

08 The command output should return the requested VM instance metadata items:

{
  "metadata": {
    "items": [
      {
        "key": "enable-oslogin",
        "value": "FALSE"
      },
      {
        "key": "block-project-ssh-keys",
        "value": "true"
      },
      {
        "key": "ssh-keys",
        "value": "web-instance-rsa-key:ssh-rsa ... web-instance-rsa-key"
      }
    ]
  }
}

If the command output does not return any metadata items with the key name set to "enable-oslogin", then the VM will inherit the project-level settings. If the "enable-oslogin" item exists but its value is set to "FALSE", the OS Login feature is not enabled for the selected Google Compute Engine instance.

09 Repeat step no. 7 and 8 for each virtual machine instance provisioned within the selected project.

10 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the OS Login feature at the Google Cloud Platform (GCP) project level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select Metadata to access the metadata available for the virtual machine (VM) instances deployed within the selected project.

05 Select the Metadata tab and click Edit to enter the edit mode.

06 On the Metadata panel, click Add item and add a metadata entry where the Key is enable-oslogin and the Value is TRUE.

07 Click Save to apply the changes. Once the metadata item is saved, the OS Login feature is enabled for the selected Google Cloud project.

08 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

09 Click on the name of the instance that overrides the GCP project metadata and has the enable-oslogin metadata item set to FALSE (see Audit section part I to identify the right instance).

10 On the selected resource configuration page, click EDIT to enter the edit mode.

11 In the Custom metadata section, remove any metadata entry with the Key set to enable-oslogin and the Value set to FALSE.

12 Click Save to apply the configuration changes.

13 If required, repeat steps no. 9 – 12 to reconfigure other virtual machine instances created for the selected project.

14 Repeat steps no. 2 – 13 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute project-info add-metadata command (Windows/macOS/Linux) using the ID of the GCP project that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enable the OS Login feature for the selected project:

gcloud compute project-info add-metadata
	--project cc-web-stack-project-123123
	--metadata enable-oslogin=TRUE

02 The command output should return the URL of the reconfigured Google Cloud project:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123].

03 Run compute instances remove-metadata command (Windows/macOS/Linux) using the name of the VM instance that overrides the GCP project metadata as identifier parameter (see Audit section part II to identify the right instance), to remove the enable-oslogin metadata item from the selected Google Compute Engine instance:

gcloud compute instances remove-metadata cc-backend-vm-instance
	--zone us-central1-a
	--keys=enable-oslogin

04 The command output should return the URL of the reconfigured VM instance:

pdated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

05 If required, repeat steps no. 1 – 4 to reconfigure other virtual machine instances available within the selected project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Choosing an access method
Setting up OS Login

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute project-info describe
gcloud compute instances list
gcloud compute instances describe
gcloud compute project-info add-metadata
gcloud compute instances remove-metadata

Publication date Mar 12, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable OS Login for GCP Projects

Risk Level: Low

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules