Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Guest Attributes of Compute Engine Metadata

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that "Disable Guest Attributes of Compute Engine Metadata" organization policy is enforced in order to disable Compute Engine API access to the guest attributes configured for the virtual machines instances that belong to your project, folder, or organization.

Security

Guest attributes are a specific type of custom metadata that your cloud applications can write to while running on your virtual machine (VM) instance. Any application or user on your VM instance can both read and write data to the guest attribute metadata values. Guest attributes are generally used for virtual machine startup scripts, configuration management agents, inventory management agents, and workload orchestration software. By default, the Compute Engine API can be used to access virtual machine guest attributes without restrictions. To ensure that users cannot configure guest attributes for your virtual machine instances in order to meet security and compliance requirements, disable the feature at the organization level by enforcing "Disable Guest Attributes of Compute Engine Metadata" policy.

Audit

To determine if "Disable Guest Attributes of Compute Engine Metadata" constraint policy is enabled for your GCP organizations, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Disable Guest Attributes of Compute Engine metadata to return the "Disable Guest Attributes of Compute Engine Metadata" organization policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enabled within your organization, therefore the use of guest attributes for Compute Engine virtual machines is not restricted for the selected GCP organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization created within your Google Cloud account: 

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs): 

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Disable Guest Attributes of Compute Engine Metadata" policy, available for the selected organization: 

gcloud alpha resource-manager org-policies describe
"compute.disableGuestAttributesAccess"
    --effective
    --organization=112233441122
    --format="table(booleanPolicy)"

04 The command request should return the requested configuration information: 

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, i.e. {}, the "Disable Guest Attributes of Compute Engine Metadata" constraint policy is not enforced at the organization level, therefore the use of guest attributes for Compute Engine virtual machines is not restricted within the selected GCP organization.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To ensure that GCP users cannot configure guest attributes for Compute Engine virtual machines, enable the "Disable Guest Attributes of Compute Engine Metadata" organization policy by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID box, select Disable Guest Attributes of Compute Engine metadata to list only the "Disable Guest Attributes of Compute Engine Metadata" policy.

06 Click on the name of the GCP organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following actions:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. Under Enforcement, select On to enable "Disable Guest Attributes of Compute Engine Metadata" organization policy. This policy disables the ability to configure guest attributes for the Compute Engine virtual machines deployed in the selected organization.
  3. Click SAVE to apply the changes and enforce the "Disable Guest Attributes of Compute Engine Metadata" policy constraints.

09 If required, repeat steps no. 2 – 8 to enable the necessary policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Disable Guest Attributes of Compute Engine Metadata" policy (i.e. compute.disableGuestAttributesAccess constraint) for the selected GCP organization: 

gcloud alpha resource-manager org-policies enable-enforce
"compute.disableGuestAttributesAccess"
    --organization=112233441122

02 The command request should return the reconfigured organization policy metadata: 

booleanPolicy:
  enforced: true
constraint: constraints/compute.disableGuestAttributesAccess
etag: abcdabcdabcd
updateTime: '2020-09-02T15:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the required policy for other GCP organizations created within your Google Cloud account.

References

Publication date May 10, 2021

Related ResourceManager rules