Disable Guest Attributes of Compute Engine Metadata
More Info:
Ensure that “Disable Guest Attributes of Compute Engine Metadata” organization policy is enforced in order to disable Compute Engine API access to the guest attributes configured for the virtual machines instances that belong to your project, folder, or organization.
Risk Level
Medium
Address
Reliability, Security
Compliance Standards
CBP
Remediation
Using Console
To remediate the misconfiguration of disabling the Guest Attributes of Compute Engine Metadata in GCP using the GCP console, follow these steps:
- Open the GCP Console and select the project where the misconfiguration exists.
- Navigate to the Compute Engine section from the left-hand menu.
- Click on the instance where the Guest Attributes of Compute Engine Metadata needs to be enabled.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Cloud Metadata” section and click on “Add item”.
- In the “Key” field, enter “enable-guest-attributes”.
- In the “Value” field, enter “TRUE”.
- Click on the “Save” button at the bottom of the page to save the changes.
After completing these steps, the Guest Attributes of Compute Engine Metadata will be enabled for the instance, and the misconfiguration will be remediated.
Using CLI
To remediate the misconfiguration “Disable Guest Attributes of Compute Engine Metadata” for GCP using GCP CLI, you can follow the below steps:
Step 1: Open the Google Cloud Shell.
Step 2: Run the following command to disable guest attributes of Compute Engine Metadata:
gcloud compute instances add-metadata INSTANCE_NAME --metadata=google-compute-disable-guest-attributes=true
Note: Replace INSTANCE_NAME with the name of the instance for which you want to disable guest attributes of Compute Engine Metadata.
Step 3: Verify that the guest attributes of Compute Engine Metadata have been disabled by running the following command:
gcloud compute instances describe INSTANCE_NAME --format="get(metadata.items['google-compute-disable-guest-attributes'])"
Note: Replace INSTANCE_NAME with the name of the instance for which you have disabled guest attributes of Compute Engine Metadata.
If the output of the above command is “true”, then it means that the guest attributes of Compute Engine Metadata have been successfully disabled.
Using Python
To remediate the misconfiguration of disabling guest attributes of Compute Engine Metadata in GCP using Python, you can follow the below steps:
Step 1: Set up the GCP SDK and authentication using the following command:
gcloud auth login
Step 2: Import the required libraries in Python:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
Step 3: Create a function to disable the guest attributes of Compute Engine Metadata:
def disable_guest_attributes(project_id, zone):
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
metadata = service.instances().get(project=project_id, zone=zone, instance='INSTANCE_NAME').execute()['metadata']
items = metadata['items']
for item in items:
if item['key'] == 'enable-guest-attributes':
item['value'] = 'FALSE'
metadata['items'] = items
service.instances().setMetadata(project=project_id, zone=zone, instance='INSTANCE_NAME', body=metadata).execute()
Step 4: Replace the project_id, zone, and INSTANCE_NAME with your GCP project ID, zone, and instance name respectively.
Step 5: Call the function to disable the guest attributes of Compute Engine Metadata:
disable_guest_attributes('PROJECT_ID', 'ZONE')
Note: Replace the PROJECT_ID and ZONE with your GCP project ID and zone respectively.
After executing the above code, the guest attributes of Compute Engine Metadata will be disabled for the specified instance.