Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Serial Port Access Support at Organization Level

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that "Disable VM serial port access" constraint policy is enabled for your Google Cloud Platform (GCP) organizations. Due to security and compliance regulations, the serial port access to your Compute Engine virtual machine (VM) instances must be disabled.

Security

When serial port access is enabled for a VM instance, clients can attempt to connect to that instance from any IP address and this allows anybody to access the instance if they know the user name, the SSH key, the project ID, and the instance name and zone. To prevent all virtual machine instances deployed within your GCP organization from having serial port access support, enforce "Disable VM Serial Port Access" organization policy. This constraint disables serial port access to Compute Engine VM instances belonging to the organization (including projects and folders) where the constraint is set to True, regardless of the metadata attributes configured for the instances.

Audit

To determine if "Disable VM serial port access" policy is enforced at the GCP organization level, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Disable VM serial port access to return only the “Disable VM serial port access” organization policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enabled for your organization, therefore the restriction of enabling serial port access to virtual machine instances is not enabled for the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization created within your Google Cloud account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization IDs: 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement configuration of the “Disable VM serial port access” policy (i.e. "compute.disableSerialPortAccess"), available for the selected organization: 

gcloud alpha resource-manager org-policies describe
"compute.disableSerialPortAccess"
  --effective
  --organization=112233441122
  --format="table(booleanPolicy)"

04 The command request should return the requested configuration information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, i.e. {}, the “Disable VM serial port access” policy is not enforced at the organization level, therefore the restriction of enabling serial port access to virtual machine instances is not enabled for the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within in your Google Cloud account.

Remediation / Resolution

To ensure that the serial port access to the virtual machine instances running within your Google Cloud project, folder, or organization is disabled at the GCP organization level, enable the “Disable VM serial port access” organization policy by performing the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID box, select Name and Disable VM serial port access to list only the “Disable VM serial port access” policy.

06 Click on the name of the GCP organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the console top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. Under Enforcement, select On to enforce the "compute.disableSerialPortAccess" policy constraint. This constraint disables the capability of enabling serial port access to the virtual machine instances deployed in the selected Google Cloud organization.
  3. Click SAVE to apply the changes and enforce the “Disable VM serial port access” policy constraints.

09 If required, repeat steps no. 2 – 8 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the “Disable VM serial port access” policy (i.e. "compute.disableSerialPortAccess" constraint) for the selected GCP organization: 

gcloud alpha resource-manager org-policies enable-enforce "compute.disableSerialPortAccess"
  --organization=112233441122

02 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/compute.disableSerialPortAccess
etag: aabbccddabcd
updateTime: '2020-07-19T15:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the policy for other GCP organizations available in your Google Cloud account.

References

Publication date May 4, 2021

Related ResourceManager rules