> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/compute-engine.md).

# compute engine

SureCloud enumerates all Compute Engine VM instances across monitored GCP projects and inspects each instance's security configuration. SureCloud checks whether OS Login is enabled (preferring project-level enforcement), verifies that boot disks use Customer-Managed Encryption Keys or Google-managed encryption, reviews firewall rules for rules that permit ingress from `0.0.0.0/0` on sensitive ports, and audits service account assignments to detect instances using the default compute service account with broad OAuth scopes.

## Endpoints

| API Call                             | Use Case                                                                    |
| ------------------------------------ | --------------------------------------------------------------------------- |
| `compute.instances.aggregatedList`   | Enumerate all VM instances across all zones in a project                    |
| `compute.projects.get`               | Read project-level metadata including OS Login enforcement settings         |
| `compute.disks.aggregatedList`       | Enumerate persistent disks and check encryption key configuration           |
| `compute.firewalls.list`             | List all VPC firewall rules; detect open ingress rules (source `0.0.0.0/0`) |
| `compute.networks.list`              | Enumerate VPC networks and retrieve their firewall rule associations        |
| `compute.subnetworks.aggregatedList` | Enumerate subnetworks and check Private Google Access configuration         |

## Pagination

Aggregated Compute Engine list calls return results keyed by zone or region. Each zone entry may contain a `nextPageToken` if that zone has more than one page of results. SureCloud handles per-zone pagination independently.

```json
{
  "kind": "compute#instanceAggregatedList",
  "items": {
    "zones/us-central1-a": {
      "instances": [ { "name": "my-vm", ... } ],
      "nextPageToken": "Cg..."
    }
  },
  "nextPageToken": "EhQ..."
}
```

## Required permissions

| Role                         | Grants                                                                                                          |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer` | Includes `compute.instances.list`, `compute.firewalls.list`, `compute.disks.list`, and related read permissions |

## Troubleshooting

<details>

<summary>OS Login status shows as disabled for instances where it is enabled</summary>

OS Login can be enabled at the project level (via project metadata key `enable-oslogin: true`) or at the instance level (via instance metadata). SureCloud checks both. If a project-level setting is present, it takes precedence over instance-level settings.

Confirm the project metadata in **Compute Engine → Metadata → Edit** and verify the `enable-oslogin` key is set to `true`. Instance-level overrides can be found on each VM's details page under **Metadata**.

</details>

<details>

<summary>Firewall rules permitting open ingress are not being flagged</summary>

SureCloud evaluates firewall rules for source CIDR `0.0.0.0/0` and `::/0`. Rules that use source tags or service accounts instead of IP ranges are not flagged as open-to-all, as they restrict access to specific tagged resources.

If a rule with a broad source CIDR is not appearing, confirm it is in the `INGRESS` direction and is set to `ALLOW`. Egress rules and implicit deny rules are not evaluated for open ingress findings.

</details>

<details>

<summary>VM instances in a specific zone are missing</summary>

The `aggregatedList` call covers all zones in a project. If instances from a specific zone are missing, the zone may be subject to a VPC Service Controls perimeter that blocks the Compute API for the SureCloud service account.

Check whether VPC Service Controls are configured on the project and whether the SureCloud service account is in an access level that permits the Compute API.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/compute-engine.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.