Profile Applicability:

Level 1

Description:

Enabling Block Project-Wide SSH Keys for VM instances ensures that only instance-specific SSH keys are used for access, preventing the use of shared project-wide SSH keys.

Rationale:

Project-wide SSH keys, stored in Compute Engine project metadata, provide access to all instances in a project. This approach simplifies SSH key management but increases security risks. If project-wide SSH keys are compromised, all instances within the project are vulnerable. By using instance-specific SSH keys, access is limited to individual instances, reducing the potential attack surface.

Impact:

  • Users relying on project-wide SSH keys will lose access to affected instances.

  • Users accessing instances via the gcloud command-line tool or GCP Console SSH feature will not need manual key distribution.

  • For users using third-party SSH clients, instance-specific SSH keys must be manually created and distributed.

Default Value:

By default, Block Project-Wide SSH Keys is not enabled for VM instances.

Audit Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

                         

  1. Click the name of each instance to view its details.

                   

  1. Under SSH Keys, verify that Block project-wide SSH keys is selected.

                   

From Google Cloud CLI:

List all instances and check their metadata:

gcloud compute instances list --format=json

  1. Ensure the metadata key block-project-ssh-keys is set to true for all instances.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.

                                 

  1. Click the name of the affected instance.

                 

  1. Click Edit in the toolbar.

               

  1. Under SSH Keys, select the checkbox Block project-wide SSH keys.

                   

  1. Click Save at the bottom of the page.

                   

  1. Repeat these steps for all impacted instances.

From Google Cloud CLI:

Set the block-project-ssh-keys metadata value to true:

gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE

References:

  1. Adding and Removing SSH Keys

  2. gcloud Formats

Additional Information:

  • If OS Login is enabled, SSH keys in instance metadata are ignored, and blocking project-wide SSH keys is unnecessary.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.10 Encrypt Sensitive Data in Transit

Encrypt sensitive data in transit using protocols like TLS and SSH.


5.2 Use Unique Passwords

Use unique passwords for enterprise assets to reduce unauthorized access risks.

16.5 Encrypt Credential Transmittals

Ensure all usernames and authentication credentials are transmitted using encrypted channels.