Ensure GCP VM instances do not have serial port access enabled

Error: GCP VM instances have serial port access enabled

Bridgecrew Policy ID: BC_GCP_NETWORKING_11
Checkov Check ID: CKV_GCP_35
Severity: MEDIUM

GCP VM instances have serial port access enabled

Description

Interacting with a serial port is often referred to as the serial console. It is similar to using a terminal window: input and output is entirely in text mode with no graphical interface or mouse support. If the interactive serial console on an instance is enabled, clients can attempt to connect to that instance from any IP address. For security purposes interactive serial console support should be disabled.

A virtual machine instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window: input and output is entirely in text mode with no graphical interface or mouse support. The instance's BIOS operating system and other system-level entities write output to the serial ports and accept input, for example, commands and responses to prompts. Typically, these system-level entities use the first serial port (port 1). Serial port 1 is often referred to as the serial console.

The interactive serial console does not support IP-based access restrictions, for example, an IP whitelist. If you enable the interactive serial console on an instance, clients can connect to that instance from any IP address. This allows anybody with the correct SSH key, username, project ID, zone, and instance name to connect to that instance. To stop this type of access interactive serial console support should be disabled.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Computer Engine.
  3. Navigate to VM instances.
  4. Select the specific VM.
  5. Click Edit.
  6. Clear the checkbox Enable connecting to serial ports, located below the Remote access block.
  7. Click Save.

CLI Command

To disable an instance use one of the following commands:

gcloud compute instances add-metadata INSTANCE_NAME 
--zone=ZONE 
--metadata=serial-port-enable=false

OR

gcloud compute instances add-metadata INSTANCE_NAME 
--zone=ZONE 
--metadata=serial-port-enable=0

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Argument: serial-port-enable
    By default set to false.
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
  metadata = {
-     serial-port-enable = true
  }
}