Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Compute Engine – Enable OS Login
This check ensures that OS Login is enabled at the project level so that SSH access to Google Cloud Compute Engine VM instances is managed using IAM users instead of static SSH keys.
Check Details
- Resource: Compute Engine
- Check: Enforce OS Login
- Risk: Without OS Login, SSH access is managed using project-wide or instance-level SSH keys, increasing the risk of unauthorized access and poor access governance.
Remediation via Google Cloud Console
-
Go to the Compute Engine Metadata page:
https://console.cloud.google.com/compute/metadata
- Click Edit.
-
Under Custom metadata, add a metadata entry:
- Key: enable-oslogin
- Value: TRUE
- Click Save to apply the changes.
- If any VM instance overrides the project setting, go to the VM Instances page: https://console.cloud.google.com/compute/instances
- Click the name of the instance to open the instance details page.
- Click Edit.
-
Under Custom metadata, remove any entry with:
- Key: enable-oslogin
- Value: FALSE
- Click Save to apply the changes.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and click the
Cloud Shell icon (
>_) in the top-right corner.
-
Configure OS Login at the project level:
gcloud compute project-info add-metadata \ --metadata enable-oslogin=TRUE -
Remove instance-level metadata that overrides the project setting:
gcloud compute instances remove-metadata <INSTANCE_NAME> \ --keys=enable-oslogin
Replace <INSTANCE_NAME> with the name of your Compute Engine
VM instance.
Default Value
By default, the enable-oslogin metadata parameter is not set,
which is equivalent to setting it to FALSE.