Profile Applicability:

Level 1

Description:

OS Login binds SSH certificates to IAM users, enabling centralized and automated SSH key management, which simplifies access control and improves security.

Rationale:

Enabling OS Login ensures that SSH keys are mapped to IAM users. This setup allows for efficient SSH key management, enabling quick responses to compromised keys or revoked user access. Revoking an IAM user's access automatically invalidates all associated SSH keys. This approach enhances security by streamlining key management and eliminating metadata-based SSH key configurations.

Impact:

  • Enabling OS Login: Disables metadata-based SSH key configurations across all instances in the project.

  • Disabling OS Login: Restores metadata-based SSH key configurations.

  • Users relying on metadata-based SSH keys will need to adjust their access methods.

Default Value:

  • By default, enable-oslogin is not set, which is equivalent to FALSE.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the VM Compute Metadata page: https://console.cloud.google.com/compute/metadata.

                     

  1. Verify that the key enable-oslogin exists with a value set to TRUE.

                   

  1. Ensure that no instance overrides the project setting with enable-oslogin set to FALSE.

From Google Cloud CLI:

List project instances and metadata:

gcloud compute instances list --format=json

  1. Check the commonInstanceMetadata section to verify that enable-oslogin is set to TRUE.

Exception:

  • Exclude VMs created by GKE (Google Kubernetes Engine), which typically have names starting with gke- and labels like goog-gke-node.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the VM Compute Metadata page: https://console.cloud.google.com/compute/metadata.

                     

  1. Click Edit and add the metadata key enable-oslogin with a value of TRUE.

                 

                 

  1. Save your changes.

                           

  1. For instances overriding the project setting:

             

  • Click the instance name to open its details page.

         

  • Click Edit and remove any custom metadata entry with enable-oslogin set to FALSE.

           

  • Save the changes.

                 

From Google Cloud CLI:

Enable OS Login for the project:

gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

Remove any instance-specific metadata overriding the project setting:

gcloud compute instances remove-metadata <INSTANCE_NAME> --keys=enable-oslogin

References:

  1. Enable OS Login

  2. Two-Factor Authentication for OS Login

Additional Information:

  • Instances using custom images must have the latest Linux Guest Environment for OS Login.

  • OS Login is not supported by certain image families, including:

    • Container-Optimized OS (cos-stable)

    • CoreOS

    • SLES-11

    • Windows Server and SQL Server

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

5.6 Centralize Account Management

Use a directory or identity service for centralized account management.


6.7 Centralize Access Control

Centralize access control for all enterprise assets through a directory or SSO provider.


16.2 Centralized Authentication

Configure all accounts to use centralized authentication points.