More Info:

Ensure that “Require OS Login” constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP, ISO27001, HIPAA

Remediation

Using Console

The “Require OS Login” misconfiguration in GCP means that instances in your project do not require OS Login to access the instance. OS Login is a feature that lets you use your Google Cloud identity to manage access to Linux instances running on Compute Engine.

To remediate this misconfiguration, you can follow these steps:

  1. Open the Google Cloud Console and select your project.
  2. In the left-hand menu, click on “Compute Engine” and then “VM instances”.
  3. Select the instance for which you want to enable OS Login.
  4. Click on “Edit” at the top of the page.
  5. Scroll down to the “Cloud API access scopes” section.
  6. Click on “Change” next to “Access scopes”.
  7. In the “Access scopes” dialog box, select “Allow full access to all Cloud APIs” and click “Save”.
  8. Scroll down to the “OS Login” section and select “Enable OS Login”.
  9. Click “Save” at the bottom of the page.

After completing these steps, OS Login will be enabled for the selected instance, and users will need to authenticate with their Google Cloud identity to access the instance.

Using CLI

The “Require OS Login” feature in GCP ensures that all users who need to access an instance must have a valid user account on the instance. It can be remediated using the following steps:

  1. Open the Cloud Shell in GCP console.

  2. Run the following command to enable the “Require OS Login” feature for all instances in the project:

    gcloud compute project-info add-metadata \
--metadata enable-oslogin=TRUE

  3. Run the following command to update all existing instances in the project to use the “Require OS Login” feature:

    gcloud compute instances add-metadata \
--metadata enable-oslogin=TRUE --all

  4. If you create a new instance, the “Require OS Login” feature will be enabled by default. However, if you want to disable it for a specific instance, you can do so by running the following command:

    gcloud compute instances add-metadata INSTANCE_NAME \
--metadata enable-oslogin=FALSE

    Replace INSTANCE_NAME with the name of the instance you want to disable the feature for.

By following the above steps, you can remediate the “Require OS Login” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Require OS Login” misconfiguration in GCP using Python, you can follow the below steps:

Step 1: Import the required libraries and authenticate the user credentials using Google Cloud SDK.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Authenticate the user credentials
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
service = build('compute', 'v1', credentials=credentials)

Step 2: Get the list of all instances in the project.

project = '<project_id>'
zone = '<zone>'

# Get the list of all instances
instances = service.instances().list(project=project, zone=zone).execute()

Step 3: Iterate through the list of instances and update the metadata to enable “Require OS Login”.

for instance in instances['items']:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]

    # Get the current metadata of the instance
    metadata = service.instances().get(project=project, zone=instance_zone, instance=instance_name).execute()['metadata']

    # Update the metadata to enable "Require OS Login"
    metadata['items'].append({'key': 'enable-oslogin', 'value': 'TRUE'})

    # Set the updated metadata to the instance
    request = service.instances().setMetadata(project=project, zone=instance_zone, instance=instance_name, body=metadata)
    response = request.execute()

Step 4: Verify if the “Require OS Login” is enabled for all instances.

for instance in instances['items']:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]

    # Get the current metadata of the instance
    metadata = service.instances().get(project=project, zone=instance_zone, instance=instance_name).execute()['metadata']

    # Verify if the "Require OS Login" is enabled
    for item in metadata['items']:
        if item['key'] == 'enable-oslogin' and item['value'] == 'TRUE':
            print(f"Require OS Login is enabled for instance {instance_name}")
            break
    else:
        print(f"Require OS Login is not enabled for instance {instance_name}")

Note: Make sure to replace the <path_to_service_account_file>, <project_id> and <zone> with the actual values in the code.