Skip to content

metadata-endpoints-disabled

Default Severity: high

Explanation

The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.

This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.

Unless specifically required, we recommend you disable these legacy APIs.

When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled.

Possible Impact

Legacy metadata endpoints don't require metadata headers

Suggested Resolution

Disable legacy metadata endpoints

Insecure Example

The following example will fail the google-gke-metadata-endpoints-disabled check.

 resource "google_container_cluster" "bad_example" {
    metadata {
     disable-legacy-endpoints = false
   }
 }

Secure Example

The following example will pass the google-gke-metadata-endpoints-disabled check.

 resource "google_container_cluster" "good_example" {
    metadata {
     disable-legacy-endpoints = true
   }
 }