turbot/steampipe-mod-gcp-compliance

Control: 4.4 Ensure oslogin is enabled for a Project

Description

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

Remediation

From Console

  1. Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.
  2. Click Edit.
  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
  4. Click Save to apply the changes.
  5. For every instance that overrides the project setting, go to the VM Instances page at https://console.cloud.google.com/compute/instances.
  6. Click the name of the instance on which you want to remove the metadata value.
  7. At the top of the instance details page, click Edit to edit the instance settings.
  8. Under Custom metadata, remove any entry with key enable-oslogin and the value is FALSE
  9. At the bottom of the instance details page, click Save to apply your changes to the instance.

From Command Line

  1. Configure oslogin on the project
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
  1. Remove instance metadata that overrides the project setting.
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin

Optionally, you can enable two factor authentication for OS login. For more information, see: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.

Default Value

By default, parameter enable-oslogin is not set, which is equivalent to setting it to FALSE.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v200_4_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v200_4_4 --share

SQL

This control uses a named query:

with project_metadata as (
select
m.project,
coalesce(
(
select lower(item ->> 'value')
from jsonb_array_elements(m.common_instance_metadata -> 'items') as item
where lower(item ->> 'key') = 'enable-oslogin'
limit 1
), ''
) as project_oslogin
from
gcp_compute_project_metadata m
), instance_metadata as (
select
i.self_link,
i.title,
i.project,
i.tags,
i.location,
i._ctx,
coalesce(
(
select lower(item ->> 'value')
from jsonb_array_elements(i.metadata -> 'items') as item
where lower(item ->> 'key') = 'enable-oslogin'
limit 1
), ''
) as instance_oslogin
from
gcp_compute_instance i
)
select
i.self_link as resource,
case
when pm.project_oslogin = '' then 'alarm'
when pm.project_oslogin in ('false', 'n', 'no', '0') then 'alarm'
when pm.project_oslogin in ('true', 'y', 'yes', '1')
and i.instance_oslogin in ('false', 'n', 'no', '0') then 'alarm'
else 'ok'
end as status,
case
when pm.project_oslogin = '' then i.title || ' has OS login disabled at project level.'
when pm.project_oslogin in ('false', 'n', 'no', '0') then i.title || ' has OS login disabled at project level.'
when pm.project_oslogin in ('true', 'y', 'yes', '1') and i.instance_oslogin in ('false', 'n', 'no', '0') then i.title || ' OS login setting is disabled at instance level.'
when pm.project_oslogin in ('true', 'y', 'yes', '1') and i.instance_oslogin = '' then i.title || ' inherits OS login enabled setting from project level.'
else i.title || ' OS login enabled.'
end as reason
, i.location as location, i.project as project
from
instance_metadata i
left join project_metadata pm on pm.project = i.project;

Tags