HIGH
Source
Trivy
ID
AVD-GCP-0048

Legacy metadata endpoints enabled.

The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.

This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.

Unless specifically required, we recommend you disable these legacy APIs.

When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.

Impact

Legacy metadata endpoints don’t require metadata headers

Follow the appropriate remediation steps below to resolve the issue.

Disable legacy metadata endpoints

1
2
3
4
5
6
7
 resource "google_container_cluster" "good_example" {
    node_config {
      metadata = {
        disable-legacy-endpoints = true
      }
    }
 }