Compute project metadata ‘OS Login’ should be enabled

Description

Enabling Compute Engine OS Login for a project ensures that SSH keys used to access instances are mapped to IAM users. If access is revoked for an IAM user, associated SSH keys are revoked as well. This streamlines handling compromised SSH key pairs and the process for revoking access.

Remediation Steps

Google Cloud Console

  • Navigate to Compute Engine metadata.

  • Click EDIT.

  • Add a metadata entry with key:enable-oslogin and value:TRUE.

  • Because Compute Engine instances can override project-level settings, ensure that no instance has custom metadata with key:enable-oslogin and value:FALSE.

  • Click SAVE.

For instances that override project-level settings:

  • Navigate to VM instances.

  • Click on the instance name to go to the VM instance details page.

  • Click STOP if the instance is running, and then click EDIT.

  • Under Custom metadata, remove any entry with key:enable-oslogin and value:FALSE.

  • Click Save and then click START.

gcloud CLI

  • Configure oslogin on the project:

    • gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

  • Stop the Compute Engine instance that overrides the project-level setting:

    • gcloud compute instances stop INSTANCE_NAME

  • Enable OS Login:

    • gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin

  • Restart the instance:

    • gcloud compute instances start INSTANCE_NAME