Your organization operates about 200 Compute Engine VMs across several projects. Developers currently access the VMs over SSH using individual public keys stored in instance metadata. Security wants to ensure that:
SSH access can be revoked immediately when a user's Cloud Identity account is disabled.
Administrators can see which Google account opened every SSH session in Cloud Logging.
Which approach meets these requirements with the least operational effort?
Convert the VMs into managed instance groups and deploy an endpoint security agent that records and reports SSH login activity.
Enable OS Login at the project level for all VMs, delete existing SSH keys from metadata, and grant developers the compute.osLogin IAM role.
Add a startup script that rotates instance-level SSH keys daily and stores the new keys in Secret Manager, granting developers access to the secrets.
Require Identity-Aware Proxy (IAP) TCP forwarding by adding a firewall rule that blocks direct TCP 22 and instruct users to connect through IAP.
OS Login binds a Linux user account on the VM to the user's IAM identity. Granting the compute.osLogin (or compute.osAdminLogin) role lets a principal connect; removing the role or disabling the Cloud Identity account instantly prevents SSH logins without touching instance metadata. OS Login also emits Cloud Audit Logs that include the principal's email for every successful or failed SSH attempt. Firewall, key-rotation scripts, or extra agents do not tie SSH authorization directly to IAM identities and still require manual key distribution or separate logging solutions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OS Login in GCP?
Open an interactive chat with Bash
How does OS Login improve security compared to SSH keys in metadata?
Open an interactive chat with Bash
What steps are needed to enable OS Login for Compute Engine instances?
Open an interactive chat with Bash
What is OS Login in Google Cloud Platform?
Open an interactive chat with Bash
What is the compute.osLogin IAM role, and how does it work?
Open an interactive chat with Bash
How does OS Login improve auditing with Cloud Audit Logs?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .