---
title: Serial ports are enabled for VM instances
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Serial ports are enabled for VM instances
---

# Serial ports are enabled for VM instances

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-serial-ports-enabled-for-vm-instances` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html)

### Description{% #description %}

Enabling the serial console on Google Compute Engine VMs grants low-level interactive access to the instance console. This can bypass network and SSH controls, allowing actors who know project or instance details to interact with or tamper with the VM.

In Ansible, check tasks using `google.cloud.gcp_compute_instance` or `gcp_compute_instance` and ensure the `metadata.serial-port-enable` property is either undefined or explicitly set to `false`. Tasks with `metadata.serial-port-enable: true` are flagged. Remediate by removing the metadata key or setting it to `false`.

Secure Ansible example:

```yaml
- name: Create GCE instance with serial port disabled
  google.cloud.gcp_compute_instance:
    name: my-vm
    machine_type: e2-medium
    metadata:
      "serial-port-enable": false
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: serial_disabled
  google.cloud.gcp_compute_instance:
    name: serial-disabled-instance
    metadata:
      serial-port-enabled: no
    zone: us-central1-a
    auth_kind: serviceaccount
- name: serial_undefined
  google.cloud.gcp_compute_instance:
    name: serial-undefined-instance
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: serial_enabled
  google.cloud.gcp_compute_instance:
    name: serial-enabled-instance
    metadata:
      serial-port-enable: yes
    zone: us-central1-a
    auth_kind: serviceaccount
```