Profile Applicability:

Level 1

Description:

The serial console allows text-based interaction with a virtual machine (VM) instance. However, enabling serial port access exposes instances to connection attempts from any IP address, increasing security risks. This feature should be disabled to prevent unauthorized access.

Rationale:

Enabling the interactive serial console grants access to VMs without IP-based restrictions, creating a security vulnerability. Attackers with knowledge of the appropriate credentials (e.g., SSH key, username, project ID, zone, instance name) can connect to the instance. Disabling this feature minimizes the risk of unauthorized access.

Impact:

Disabling serial port access ensures that VM instances are protected from potential unauthorized connections via the serial console, enhancing overall security.

Default Value:

By default, the "Enable connecting to serial ports" option is not enabled for VM instances.

Audit Steps:

From Google Cloud Console:

  1. Navigate to Compute Engine → VM Instances:
    https://console.cloud.google.com/compute/instances.

           

  1. Select the specific VM instance.

           

  1. Verify that the message "Connecting to serial ports is disabled" appears under the Details tab below the Connect to serial console dropdown.

             

From Google Cloud CLI:

Retrieve instance metadata:

gcloud compute instances describe <INSTANCE_NAME> --zone=<ZONE> --format="json(metadata.items[].key,metadata.items[].value)"
Confirm that serial-port-enable is set to false or 0 in the metadata section:
{
  "metadata": {
    "items": [
      {
        "key": "serial-port-enable",
        "value": "0"
      }
    ]
  }
}

Remediation Steps:

From Google Cloud Console:

  1. Navigate to Compute Engine → VM Instances.

                       

  1. Select the specific VM instance.

       

  1. Click Edit.

                 

  1. Uncheck Enable connecting to serial ports under the Remote Access section.

                   

  1. Click Save.

                 

From Google Cloud CLI:

Disable serial port access for a specific instance:

gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=false

or

gcloud compute instances add-metadata <INSTANCE_NAME> --zone=<ZONE> --metadata=serial-port-enable=0

Prevention:

To prevent serial port access across all VMs in your organization, set an organization policy: Disable VM Serial Port Access Policy.

References:

  1. Interacting with the Serial Console

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.8 Uninstall or Disable Unnecessary Services

Remove or disable unnecessary services to reduce the attack surface.


9.2 Approved Ports, Protocols, and Services

Ensure only approved ports, protocols, and services are running on a system.