Skip to main content

More Info:

Enable OS login to ensure that SSH keys used to connect to instances are mapped with IAM users.

Risk Level

High

Address

Security

Compliance Standards

SOC2, PCIDSS, ISO27001, HIPAA, CISGCP, CBP, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “OS Login Should Be Enabled” for GCP using GCP console, follow these steps:
  1. Open the GCP Console and select the project you want to work on.
  2. In the left-hand menu, select “Compute Engine” and then select “VM instances”.
  3. Click on the name of the VM instance you want to configure.
  4. In the VM instance details page, click on the “Edit” button at the top of the page.
  5. Scroll down to the “Cloud API access scopes” section.
  6. In the “Cloud API access scopes” section, click on “Allow full access to all Cloud APIs”.
  7. Scroll down to the “Cloud Identity and Access Management (IAM)” section.
  8. In the “Cloud Identity and Access Management (IAM)” section, click on “Add item”.
  9. In the “Add members” dialog box, enter the email address of the user or service account you want to grant access to.
  10. In the “Role” dropdown menu, select “Compute OS Login”.
  11. Click “Save” to apply the changes.
After following these steps, OS Login will be enabled for the selected VM instance in GCP.

To remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI, you can follow these steps:
  1. Open the Cloud Shell from the GCP Console.
  2. Run the following command to enable OS Login for all users in your project:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
  1. If you want to enable OS Login for a specific instance, you can use the following command:
gcloud compute instances add-metadata INSTANCE_NAME --metadata enable-oslogin=TRUE
Replace INSTANCE_NAME with the name of the instance for which you want to enable OS Login.
  1. If you want to enable OS Login for a specific user, you can use the following command:
gcloud compute os-login ssh-keys add --key-file=PUBLIC_KEY_FILE --ttl=TTL USERNAME
Replace PUBLIC_KEY_FILE with the path to the public key file, TTL with the time-to-live for the key (in seconds), and USERNAME with the username of the user for whom you want to enable OS Login.
  1. Verify that OS Login is enabled by running the following command:
gcloud compute project-info describe --format="value(commonInstanceMetadata.items.filter(key:enable-oslogin).value)"
This command will return TRUE if OS Login is enabled for your project.That’s it! By following these steps, you should be able to remediate the “OS Login Should Be Enabled” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “OS Login Should Be Enabled” for GCP using Python, follow these steps:
  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Set the project ID and zone where the VM instances are located:
project_id = 'your-project-id'
zone = 'your-zone'
  1. Authenticate and authorize the client:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
  1. Retrieve the list of VM instances:
request = service.instances().list(project=project_id, zone=zone)
response = request.execute()
instances = response['items']
  1. For each VM instance, check if OS Login is enabled:
for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    instance_id = instance['id']
    instance_url = f'/compute/v1/projects/{project_id}/zones/{instance_zone}/instances/{instance_name}'

    request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
    response = request.execute()
    metadata = response['metadata']['items']

    oslogin_enabled = False
    for item in metadata:
        if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
            oslogin_enabled = True

    if not oslogin_enabled:
        print(f"OS Login is not enabled for instance {instance_name}.")
  1. If OS Login is not enabled, enable it:
request_body = {
    'items': [
        {
            'key': 'enable-oslogin',
            'value': 'TRUE'
        }
    ]
}

request = service.instances().setMetadata(project=project_id, zone=instance_zone, instance=instance_name, body=request_body)
response = request.execute()
  1. Verify that OS Login is now enabled:
request = service.instances().get(project=project_id, zone=instance_zone, instance=instance_name)
response = request.execute()
metadata = response['metadata']['items']

oslogin_enabled = False
for item in metadata:
    if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
        oslogin_enabled = True

if oslogin_enabled:
    print(f"OS Login has been enabled for instance {instance_name}.")
Note: Make sure to replace “your-project-id” and “your-zone” with your actual project ID and zone.

Additional Reading: