Ensure that OS login 2FA is enabled for the GCP project.
Risk Level: Low
Description
This plugin checks to see whether the project's OS login 2FA is disabled and ensures that it is active for all VM instances. 2FA or Two Factor Authentication provides an extra layer of security
About the Service
Google Cloud Compute Engine:
Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here.
Impact
If the OS Login capability is deactivated for any Google Cloud project, IAM cannot be used to manage all SSH keys. Instead, each SSH key would need to be created and kept independently. Furthermore, two-factor authentication is required for OS Login to boost security and eliminate the risks associated with hacked passwords.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
- Select the VM instance you want to investigate from the list of instances and go to the Details tab to examine the details of the VM instance selected.
- Scroll down to the Custom metadata section and check if there is any key with the name enable-oslogin-2fa. If it has a corresponding value of FALSE or if there is no key with the name enable-oslogin-2fa, then the OS login 2FA feature is not enabled in the selected Virtual Machine (VM) instance.
(or) - Repeat steps 6 and 7 for all the VM instances in the selected project.
- If you have multiple projects that you want to investigate, repeat steps 2-8 for each project in your GCP console.
Steps for Remediation
Determine whether or not you truly require OS login 2FA to be disabled. If not, make the necessary changes to enable OS login for your Google Cloud projects.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
- From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
- Select the Edit option from the top navigation bar of the VM instance details page.
- Scroll down to the Custom metadata section and click on Add item and add a metadata with Key as enable-oslogin-2fa and set the value to TRUE.
Note: Ensure that a key with enable-oslogin and value set to TRUE already exists. - Click save to apply all the changes made.
- Repeat steps 6 to 8 for all the VM instances you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2-9 for each project in your GCP console.