Compute instances ‘Enable connecting to serial ports’ should not be enabled

Description

A Compute Engine instance’s serial port - also known as an interactive serial console - does not support IP-based access restrictions. If enabled, the interactive serial console can be used by clients to connect to the instance from any IP address. This enables anyone who has the correct SSH key, username, and other login information to connect to the instance.

Remediation Steps

Google Cloud Console

  • Navigate to VM instances.

  • Click on the instance name to go to the VM instance details page.

  • Click STOP if the instance is running, and then click EDIT.

  • Deselect Enable connecting to serial ports.

  • Click Save and then click START.

gcloud CLI

  • List the Compute Engine instances in your project:

    • gcloud compute instances list

  • Stop the Compute Engine instance:

    • gcloud compute instances stop INSTANCE_NAME

  • Use either of these two commands to disable connecting to serial ports:

    • gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE -- metadata=serial-port-enable=false

    • gcloud compute instances add-metadata INSTANCE_NAME --zone=ZONE -- metadata=serial-port-enable=0

  • Restart the instance:

    • gcloud compute instances start INSTANCE_NAME