K8s compute engine instance metadata apis disabled remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled” for GCP using GCP CLI, follow the below steps:

Open the GCP Cloud Shell and run the following command to disable the legacy metadata APIs:

gcloud compute instances add-metadata [INSTANCE_NAME] --metadata=metadata-yaml-disable-legacy-endpoints=true

Here, replace [INSTANCE_NAME] with the name of the instance for which you want to disable the legacy metadata APIs.

Verify the change by running the following command:

gcloud compute instances describe [INSTANCE_NAME] --format="get(metadata.items['metadata-yaml-disable-legacy-endpoints'])"

This should output “true” which indicates that the legacy metadata APIs are now disabled.

Repeat the above steps for all the instances in your GCP project to ensure that the legacy metadata APIs are disabled for all instances.

Note: It is recommended to use the latest metadata APIs instead of the legacy ones for better security and performance.

Using Python

To remediate the misconfiguration “Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled” for GCP using Python, you can use the following steps:

Import the necessary Python libraries:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Authenticate and authorize your credentials:

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

Get the project ID:

project = 'YOUR_PROJECT_ID'

Get the instance name:

instance = 'YOUR_INSTANCE_NAME'

Get the instance metadata:

request = service.instances().get(project=project, zone=zone, instance=instance)
response = request.execute()
metadata = response['metadata']

Check if the legacy metadata APIs are enabled:

if 'enable-guest-attributes' in metadata:
    if metadata['enable-guest-attributes'] == 'TRUE':
        metadata.pop('enable-guest-attributes')
        body = {'metadata': metadata}
        request = service.instances().setMetadata(project=project, zone=zone, instance=instance, body=body)
        response = request.execute()
        print('Legacy Compute Engine Instance Metadata APIs have been disabled.')
    else:
        print('Legacy Compute Engine Instance Metadata APIs are already disabled.')
else:
    print('Legacy Compute Engine Instance Metadata APIs are already disabled.')

If the legacy metadata APIs are enabled, remove the ‘enable-guest-attributes’ key from the metadata and update the instance metadata with the new metadata:

metadata.pop('enable-guest-attributes')
body = {'metadata': metadata}
request = service.instances().setMetadata(project=project, zone=zone, instance=instance, body=body)
response = request.execute()
print('Legacy Compute Engine Instance Metadata APIs have been disabled.')

If the legacy metadata APIs are already disabled, print a message indicating that they are already disabled:

print('Legacy Compute Engine Instance Metadata APIs are already disabled.')

Note: Replace YOUR_PROJECT_ID and YOUR_INSTANCE_NAME with your actual project ID and instance name respectively. Also, replace the zone variable with the appropriate zone for your instance.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

K8s compute engine instance metadata apis disabled remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation