Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Google > Compute >

No Serial Port

MEDIUM
Source
Trivy/CSPM
CSPM ID
connect-serial-ports-disabled
ID
AVD-GCP-0032
management_console terraform

Disable serial port connectivity for all instances

When serial port access is enabled, the access is not governed by network security rules meaning the port can be exposed publicly.

Impact

Unrestricted network access to the serial console of the instance

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Google Cloud Platform Console.

  2. Scroll down the left navigation panel and choose the “Compute Engine” to select the “VM Instances” option. Step

  3. On the “VM Instances” page, select the VM instance which needs to be verified. Step

  4. On the “VM instance details” page, scroll down and check “Enable connecting to serial ports” is enabled or not for VM instances.Step

  5. Repeat steps number 2 - 4 to verify other VM instances in the network.

  6. Navigate to “Compute Engine”, choose the “VM instances” and select the “VM instance” which needs to disabled “Connecting to serial ports” for VM instances.Step

  7. On the “VM instance details” page, select the “Edit” button at the top.Step

  8. On the “VM instance details - Edit page”, unselect the checkbox next to “Enable connecting to serial ports.”Step

  9. Click on the “Save” button to make the changes.Step

  10. Repeat steps number 6 - 9 to ensure the “Enable Connecting to Serial Ports” option is disabled for all compute instances.

Disable serial port access

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

 resource "google_service_account" "default" {
   account_id   = "service_account_id"
   display_name = "Service Account"
 }
 
 resource "google_compute_instance" "default" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"
 
   tags = ["foo", "bar"]
 
   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }
 
   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }
 
   network_interface {
     network = "default"
 
     access_config {
       // Ephemeral IP
     }
   }
 
   metadata = {
     serial-port-enable = false
   }
 
   metadata_startup_script = "echo hi > /test.txt"
 
   service_account {
     # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     email  = google_service_account.default.email
     scopes = ["cloud-platform"]
   }
 }
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use