Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
GCP Terraform Misconfiguration: Compute Engine Access Control
Abstract
A Terraform configuration sets up a Compute Engine instance without using Identity and Access Management (IAM) roles to manage SSH access.
Explanation
The IAM-based access control reduces human errors and promotes efficiency. Enabling the OS Login permits the use of IAM roles to automate the lifecycle management of Linux accounts for accessing all Compute Engine instances in the same project or organization.
Example 1: The following example shows a Terraform configuration that disables the use of IAM roles to manage SSH access by setting
Example 1: The following example shows a Terraform configuration that disables the use of IAM roles to manage SSH access by setting
enable-oslogin to false in the metadata argument.
resource "google_compute_instance" "compute-instance-demo" {
...
metadata = {
enable-oslogin = false
...
}
...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud About OS Login
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.4
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000015, CCI-002121
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-3 Access Enforcement (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-3 Access Enforcement
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.1.6 Secure Software Development Lifecycle (L2 L3), 1.4.1 Access Control Architectural Requirements (L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 8.2.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 8.3.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 8.3.1
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000280 CAT II, APSC-DV-002880 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_access_control