Guest Attributes of Compute Engine Metadata Not Disabled

ID: gcloud-org-guest-attributes

Severity: medium

Author: princechaddha

Tags: cloud,devops,gcp,gcloud,resourcemanager,security,compute,metadata,gcp-cloud-config

Description

Ensure that “Disable Guest Attributes of Compute Engine Metadata” organization policy is enforced in order to disable Compute Engine API access to the guest attributes configured for the virtual machines instances that belong to your project, folder, or organization. Guest attributes are a specific type of custom metadata that your cloud applications can write to while running on your virtual machine (VM) instance.

YAML Source

id: gcloud-org-guest-attributes

info:
  name: Guest Attributes of Compute Engine Metadata Not Disabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that "Disable Guest Attributes of Compute Engine Metadata" organization policy is enforced in order to disable Compute Engine API access to the guest attributes configured for the virtual machines instances that belong to your project, folder, or organization. Guest attributes are a specific type of custom metadata that your cloud applications can write to while running on your virtual machine (VM) instance.
  impact: |
    By default, any application or user on your VM instance can both read and write data to the guest attribute metadata values, which could lead to unauthorized access or data exposure.
  remediation: |
    Enable the "Disable Guest Attributes of Compute Engine Metadata" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the compute.disableGuestAttributesAccess constraint.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/disable-using-guest-attributes.html
    - https://cloud.google.com/compute/docs/metadata/guest-attributes
  tags: cloud,devops,gcp,gcloud,resourcemanager,security,compute,metadata,gcp-cloud-config

flow: |
  code(1)
  for(let orgId of iterate(template.orgIds)){
    set("orgId", orgId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud organizations list --format="json(name)"

    extractors:
      - type: json
        name: orgIds
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha resource-manager org-policies describe compute.disableGuestAttributesAccess --organization=$orgId --effective --format="json(booleanPolicy)"

    matchers:
      - type: word
        words:
          - "{}"

    extractors:
      - type: dsl
        dsl:
          - '"Organization " + orgId + " has not disabled guest attributes for Compute Engine metadata"'
# digest: 4a0a0047304502201e9afae3b95f5be5f12ab8eaa7e6c916380294ea0e5eea008764e314a36b0f93022100955a3ea3dd8d64ab7a0f9ecc7ecee6e73573558b143867869b4631dca2ae81b4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "cloud/gcp/resourcemanager/gcloud-org-guest-attributes.yaml"

View on Github