Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use OS Login with 2FA Authentication for VM Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the OS Login feature enabled at the virtual machine instance level is configured with Two-Factor Authentication (2FA) in order to help protect the access to your Google Cloud VM instances. Two-Factor Authentication (also known as Multi-Factor Authentication - MFA) provides an additional layer of security on top of the existing credentials.

Security

When Two-Factor Authentication (2FA) is configured with OS Login, the user (e.g. instance administrator) will have to present a minimum of two separate forms of authorization before its access is granted. Having an 2FA/MFA-protected instance represents an efficient way to safeguard your production and business-critical applications against malicious actors, as attackers would have to compromise at least two different authentication methods in order to gain access to your VM instance, and this reduces significantly the risk of attack.

Note: OS Login feature must be enabled at the instance level in order to use OS Login 2FA.

Audit

To determine if OS Login is configured with 2FA at the VM instance level, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Custom metadata section for a key pair with the name enable-oslogin-2fa. If there is no custom metadata key named enable-oslogin-2fa or the enable-oslogin-2fa key exists but the key value is set to FALSE, the OS Login feature is not configured with Two-Factor Authentication (2FA) for the selected Google Compute Engine instance.

07 Repeat step no. 5 and 6 for each production VM instance created within the selected project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available within your cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-ml-custom-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each virtual machine (VM) instance provisioned for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-frontend-vm-instance   us-central1-a
cc-backend-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the metadata items created for the selected virtual machine (VM) instance: 

gcloud compute instances describe cc-frontend-vm-instance
	--zone us-central1-a
	--format="json(metadata.items)"

06 The command output should return the requested VM instance metadata items: 

{
  "metadata": {
    "items": [
      {
        "key": "enable-oslogin",
        "value": "TRUE"
      },
      {
        "key": "ssh-keys",
        "value": "prod-instance-rsa-key:ssh-rsa ... prod-instance-rsa-key"
      }
    ]
  }
}

If the command output does not return any metadata items with the key name set to "enable-oslogin-2fa" or the "enable-oslogin-2fa" item exists but its value is set to "FALSE", the OS Login feature is not configured with Two-Factor Authentication (2FA) for the selected Google Cloud VM instance.

07 Repeat step no. 5 and 6 for each production VM instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

By requiring more than one mechanism to authenticate to an instance, Two-Factor Authentication/Multi-Factor Authentication protects the user login from attackers exploiting stolen or weak credentials. To configure your production and mission-critical VM instances to use OS Login with Two-Factor Authentication (2FA), perform the following operations:

Note: For all VM operating systems except CoreOS, OS Login 2FA changes are applied instantaneously, i.e. you don't have to restart your instance. For CoreOS distributions, you need to reboot or restart the instance for the configuration change to take effect.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right resource).

06 On the selected resource configuration page, click EDIT to enter the instance edit mode.

07 In the Custom metadata section, perform the following actions:

  1. Make sure that a metadata entry with the Key set to enable-oslogin and the Value set to TRUE already exists.
  2. Click Add item and add a metadata entry where the Key is enable-oslogin-2fa and the Value is TRUE.

08 Click Save to apply the configuration changes.

09 If required, repeat steps no. 5 – 7 to reconfigure other VM instances created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute instances add-metadata command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to configure OS Login with Two-Factor Authentication (2FA) for the selected instance: 

gcloud compute instances add-metadata cc-frontend-vm-instance
	--zone us-central1-a
	--metadata enable-oslogin=TRUE,enable-oslogin-2fa=TRUE

02 The command output should return the URL of the reconfigured Google Cloud project: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

03 If required, repeat step no. 1 and 2 to reconfigure other VM instances available within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 21, 2021

Related ComputeEngine rules