Legacy metadata endpoints should not be explicitly enabled

Severity	Exploitability	Providers	Categories
HIGH	MEDIUM	Google Cloud Provider	DATA

Description

The v0.1 and v1beta1 Compute Engine metadata server endpoints were deprecated and shutdown on 2020. They did not enforce metadata query headers. They are disabled by default.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

Virtual Machine's metadata server could be used to extract credentials and thus access private data.

Remediation guidelines

Disable legacy metadata endpoints, with property disable-legacy-endpoints. Alternatively, simply delete this property because its default value is true.

References

• Google Cloud Documentation - Harden your cluster's security
• Google Cloud Documentation - About VM metadata

Was this page helpful?