Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Google > Gke >

Metadata Endpoints Disabled

HIGH
Source
Trivy
ID
AVD-GCP-0048
terraform

Legacy metadata endpoints enabled.

The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.

This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.

Unless specifically required, we recommend you disable these legacy APIs.

When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Disable legacy metadata endpoints

1
2
3
4
5
6
7

resource "google_container_cluster" "good_example" {
  node_config {
    metadata = {
      disable-legacy-endpoints = true
    }
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use