4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

Rationale:

Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.

Impact:

Users already having Project-wide ssh key pairs and using third party SSH clients will lose access to the impacted Instances. For Project users using gcloud or GCP Console based SSH option, no manual key creation and distribution is required and will be handled by GCE (Google Compute Engine) itself. To access Instance using third party SSH clients Instance specific SSH key pairs need to be created and distributed to the required users.

Solution

From Google Cloud Console

Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances. It will list all the instances in your project.

Click on the name of the Impacted instance

Click Edit in the toolbar

Under SSH Keys, go to the Block project-wide SSH keys checkbox

To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys

Click Save at the bottom of the page

Repeat steps for every impacted Instance

From Google Cloud CLI
To block project-wide public SSH keys, set the metadata value to TRUE:

gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE

Default Value:

By Default Block Project-wide SSH keys is not enabled.

See Also

https://workbench.cisecurity.org/benchmarks/9562