VM instance should have OSLogin enabled

ID

gcp_vm_instance_oslogin_disabled

Severity

low

Vendor

GCP

Resource

IAM

Tags

reachable

Description

Disable OSLogin could potential risks:

  • lose the ability to manage SSH access using IAM roles and permissions1

  • lose the option to use two-factor authentication for SSH connections

  • lose the visibility of SSH login events with Cloud Logging

  • need to manually configure your user account with POSIX information

To fix it, you must configure the metadata.enable-oslogin property to yes.

Learn more about this topic at About OS Login.

Examples

---
- name: oslogin-disabled
  google.cloud.gcp_compute_instance:
    metadata:
      enable-oslogin: no
    zone: us-central1-a
    auth_kind: serviceaccount

Mitigation / Fix

---
- name: oslogin-enabled
  google.cloud.gcp_compute_instance:
    metadata:
      enable-oslogin: yes
    zone: us-central1-a
    auth_kind: serviceaccount