Instances should not override the project setting for OS Login
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | compute |
| Provider | |
| Vulnerability Type | misconfiguration |
Description#
Instance-level overrides disabling OS Login allow SSH access to persist even after an IAM user’s access is revoked, bypassing centralized access management. This misconfiguration prevents automatic removal of associated SSH keys.
Impact#
If exploited, former IAM users may retain unauthorized SSH access to compute instances, increasing the risk of unauthorized activities, data breaches, and non-compliance with access control policies.
Resolution#
Enable OS Login at project level and remove instance-level overrides