Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Remove "compute.disableGuestAttributesAccess" org policy #1019

Merged
merged 12 commits into from
Dec 11, 2023
Merged

feat: Remove "compute.disableGuestAttributesAccess" org policy #1019

merged 12 commits into from
Dec 11, 2023

Conversation

Samir-Cit
Copy link
Contributor

@Samir-Cit Samir-Cit commented Nov 10, 2023
edited by daniel-cit
Loading

Hello folks.

This PR is to remove compute.disableGuestAttributesAccess org policy.

This policy was originally enforced to help mitigate data exfiltration threats where software running on a VM publishes data from disk to the VM guest attributes, which could potentially be read by another service with IAM role access to read VM metadata.

This exfiltration threat is relatively niche because it requires an attacker to both deploy malicious software on a VM,
and have a privileged Compute IAM role. API-based data exfiltration risks can be better addressed by designing a VPC Service Controls perimeter around sensitive data.

On the other hand, guest attributes enable various useful workflows for automation, and guest attributes can help mitigate MITM attacks during remote VM access by storing host keys by enabling guest attributes.

Considering the balance of utility compared to risk, we no longer recommend this policy as a default setting for all customers who adopt the blueprint.

However, we encourage customers to review the security controls and customize the blueprint as appropriate for their requirements.

@Samir-Cit Samir-Cit requested review from rjerrems, gtsorbo and a team as code owners November 10, 2023 18:51
@rjerrems
Copy link
Collaborator

Can you please add some context as to why we are making this change so we can add that to the commit?

@eeaton
Copy link
Collaborator

eeaton commented Nov 15, 2023

Here is some context on the justification for the change, feel free to reuse from this below:

This policy was originally enforced to help mitigate data exfiltration threats where software running on a VM publishes data from disk to the VM guest attributes, which could potentially be read by another service with IAM role access to read VM metadata. This exfiltration threat is relatively niche because it requires an attacker to both deploy malicious software on a VM, and have a privileged Compute IAM role. API-based data exfiltration risks can be better addressed by designing a VPC Service Controls perimeter around sensitive data.

On the other hand, guest attributes enable various useful workflows for automation, and guest attributes can help mitigate MITM attacks during remote VM access by storing host keys by enabling guest attributes.

Considering the balance of utility compared to risk, we no longer recommend this policy as a default setting for all customers who adopt the blueprint. However, we encourage customers to review the security controls and customize the blueprint as appropriate for their requirements.

@gtsorbo gtsorbo merged commit 9fac80f into terraform-google-modules:master Dec 11, 2023
5 checks passed
@release-please release-please bot mentioned this pull request Dec 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjerrems rjerrems rjerrems approved these changes

@gtsorbo gtsorbo gtsorbo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Samir-Cit @rjerrems @eeaton @gtsorbo @daniel-cit