Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The project does not have OS Login enabled in its Google Compute metadata configuration. Without OS Login, SSH access to VM instances is managed locally, making it harder to centrally control and audit user access.
Impact#
If OS Login is not enabled, attackers or unauthorized users may retain access to VMs even after their permissions are revoked in IAM, increasing the risk of unauthorized access or privilege escalation. This weakens access control and auditability across your GCP environment.