Profile Applicability:
Level 1
Description:
Enabling Block Project-Wide SSH Keys for VM instances ensures that only instance-specific SSH keys are used for access, preventing the use of shared project-wide SSH keys.
Rationale:
Project-wide SSH keys, stored in Compute Engine project metadata, provide access to all instances in a project. This approach simplifies SSH key management but increases security risks. If project-wide SSH keys are compromised, all instances within the project are vulnerable. By using instance-specific SSH keys, access is limited to individual instances, reducing the potential attack surface.
Impact:
Users relying on project-wide SSH keys will lose access to affected instances.
Users accessing instances via the gcloud command-line tool or GCP Console SSH feature will not need manual key distribution.
For users using third-party SSH clients, instance-specific SSH keys must be manually created and distributed.
Default Value:
By default, Block Project-Wide SSH Keys is not enabled for VM instances.
Audit Steps:
From Google Cloud Console:
Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.
Click the name of each instance to view its details.
Under SSH Keys, verify that Block project-wide SSH keys is selected.
From Google Cloud CLI:
List all instances and check their metadata:
gcloud compute instances list --format=json
Ensure the metadata key block-project-ssh-keys is set to true for all instances.
Remediation Steps:
From Google Cloud Console:
Navigate to the VM Instances page: https://console.cloud.google.com/compute/instances.
Click the name of the affected instance.
Click Edit in the toolbar.
Under SSH Keys, select the checkbox Block project-wide SSH keys.
Click Save at the bottom of the page.
Repeat these steps for all impacted instances.
From Google Cloud CLI:
Set the block-project-ssh-keys metadata value to true:
gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE
References:
Additional Information:
If OS Login is enabled, SSH keys in instance metadata are ignored, and blocking project-wide SSH keys is unnecessary.