Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled
More Info:
Disable the legacy GCE instance metadata APIs for GKE nodes. Under some circumstances, these can be used from within a pod to extract the node’s credentialsRisk Level
HighAddress
Security, Reliability, Operational Excellence, Performance EfficiencyCompliance Standards
CISGKETriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled” for GCP using GCP console, follow the below steps:
- Open the Google Cloud Console and select your project.
- Navigate to the Compute Engine page from the left-hand menu.
- From the Compute Engine page, select the “Metadata” tab.
- Under the “Metadata” tab, click on the “Edit” button.
- Scroll down to the “Legacy Metadata Access” section.
- Select the “Disallow” option to disable the legacy metadata access.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled” for GCP using GCP CLI, follow the below steps:Here, replace [INSTANCE_NAME] with the name of the instance for which you want to disable the legacy metadata APIs.This should output “true” which indicates that the legacy metadata APIs are now disabled.
- Open the GCP Cloud Shell and run the following command to disable the legacy metadata APIs:
- Verify the change by running the following command:
- Repeat the above steps for all the instances in your GCP project to ensure that the legacy metadata APIs are disabled for all instances.
Using Python
Using Python
To remediate the misconfiguration “Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled” for GCP using Python, you can use the following steps:Note: Replace YOUR_PROJECT_ID and YOUR_INSTANCE_NAME with your actual project ID and instance name respectively. Also, replace the zone variable with the appropriate zone for your instance.
- Import the necessary Python libraries:
- Authenticate and authorize your credentials:
- Get the project ID:
- Get the instance name:
- Get the instance metadata:
- Check if the legacy metadata APIs are enabled:
- If the legacy metadata APIs are enabled, remove the ‘enable-guest-attributes’ key from the metadata and update the instance metadata with the new metadata:
- If the legacy metadata APIs are already disabled, print a message indicating that they are already disabled: