OS Login is disabled Affecting Compute Engine service in Google

Severity Framework Snyk CCSS

Rule category IAM / Usage

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM SOC-2

Snyk ID SNYK-CC-00384
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enabling Compute Engine OS Login for a project ensures that SSH keys used to access instances are mapped to IAM users. If access is revoked for an IAM user, associated SSH keys are revoked as well. This streamlines handling compromised SSH key pairs and the process for revoking access.

How to fix?

Set metadata.enable-oslogin attribute to true.

Example Configurations

resource "google_compute_project_metadata" "allowed" {
  metadata = {
    "enable-oslogin" = true
  }
}

resource "google_compute_project_metadata_item" "allowed_item" {
  key   = "enable-oslogin"
  value = true
}

OS Login is disabled Affecting Compute Engine service in Google

Description

How to fix?

Example Configurations

Terraform

References