The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.
This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.
Unless specifically required, we recommend you disable these legacy APIs.
When setting the
metadata block, the default value for
disable-legacy-endpoints is set to true, they should not be explicitly enabled.
The following example will fail the GCP007 check.
The following example will pass the GCP007 check.