Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Disabling OS Login on a Google Compute instance overrides the project-wide security setting and allows users to connect using SSH keys stored in instance metadata, reducing centralized access control.
Impact#
Attackers or unauthorized users could gain direct SSH access to instances by bypassing organization-wide login policies, increasing the risk of unauthorized access and making it harder to audit and manage user permissions across your cloud infrastructure.