Control: 4.4 Ensure oslogin is enabled for a Project
Description
Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.
Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.
Remediation
From Console
- Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.
- Click
Edit
. - Add a metadata entry where the key is
enable-oslogin
and the value isTRUE
. - Click
Save
to apply the changes. - For every instance that overrides the project setting, go to the
VM Instances
page at https://console.cloud.google.com/compute/instances. - Click the name of the instance on which you want to remove the metadata value.
- At the top of the instance details page, click
Edit
to edit the instance settings. - Under
Custom metadata
, remove any entry with keyenable-oslogin
and the value isFALSE
- At the bottom of the instance details page, click
Save
to apply your changes to the instance.
From Command Line
- Configure oslogin on the project
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
- Remove instance metadata that overrides the project setting.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin
Optionally, you can enable two factor authentication for OS login. For more information, see: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.
Default Value
By default, parameter enable-oslogin
is not set, which is equivalent to setting it to FALSE
.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_4_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_4_4 --share
SQL
This control uses a named query:
compute_instance_oslogin_enabled