Disable Guest Attributes of Compute Engine Metadata

More Info:

Ensure that “Disable Guest Attributes of Compute Engine Metadata” organization policy is enforced in order to disable Compute Engine API access to the guest attributes configured for the virtual machines instances that belong to your project, folder, or organization.

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Disable Guest Attributes of Compute Engine Metadata” for GCP using GCP CLI, you can follow the below steps:Step 1: Open the Google Cloud Shell.Step 2: Run the following command to disable guest attributes of Compute Engine Metadata:

gcloud compute instances add-metadata INSTANCE_NAME --metadata=google-compute-disable-guest-attributes=true

Note: Replace INSTANCE_NAME with the name of the instance for which you want to disable guest attributes of Compute Engine Metadata.Step 3: Verify that the guest attributes of Compute Engine Metadata have been disabled by running the following command:

gcloud compute instances describe INSTANCE_NAME --format="get(metadata.items['google-compute-disable-guest-attributes'])"

Note: Replace INSTANCE_NAME with the name of the instance for which you have disabled guest attributes of Compute Engine Metadata.If the output of the above command is “true”, then it means that the guest attributes of Compute Engine Metadata have been successfully disabled.

Using Python

To remediate the misconfiguration of disabling guest attributes of Compute Engine Metadata in GCP using Python, you can follow the below steps:Step 1: Set up the GCP SDK and authentication using the following command:

gcloud auth login

Step 2: Import the required libraries in Python:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Step 3: Create a function to disable the guest attributes of Compute Engine Metadata:

def disable_guest_attributes(project_id, zone):
    credentials = GoogleCredentials.get_application_default()
    service = discovery.build('compute', 'v1', credentials=credentials)
    metadata = service.instances().get(project=project_id, zone=zone, instance='INSTANCE_NAME').execute()['metadata']
    items = metadata['items']
    for item in items:
        if item['key'] == 'enable-guest-attributes':
            item['value'] = 'FALSE'
    metadata['items'] = items
    service.instances().setMetadata(project=project_id, zone=zone, instance='INSTANCE_NAME', body=metadata).execute()

Step 4: Replace the project_id, zone, and INSTANCE_NAME with your GCP project ID, zone, and instance name respectively.Step 5: Call the function to disable the guest attributes of Compute Engine Metadata:

disable_guest_attributes('PROJECT_ID', 'ZONE')

Note: Replace the PROJECT_ID and ZONE with your GCP project ID and zone respectively.After executing the above code, the guest attributes of Compute Engine Metadata will be disabled for the specified instance.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Disable Guest Attributes of Compute Engine Metadata

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation