π Google GCE Instance Block Project-Wide SSH Keys is not enabled π’
- Contextual name: π Instance Block Project-Wide SSH Keys is not enabled π’
- ID:
/ce/ca/google/compute-engine/instance-project-wide-ssh-key - Located in: π Google GCE
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Rationaleβ
Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all the instances within project. Using project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.
Impactβ
Users already having Project-wide ssh key pairs and using third party SSH clients will lose access to the impacted Instances. For Project users using gcloud or GCP Console based SSH option, no manual key creation and distribution is required and will be handled by GCE (Google Compute Engine) itself. To access Instance using third party SSH clients Instance specific SSH key pairs need to be created and distributed to the required users.
Auditβ
... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances. It will list all the instances in your project.- Click on the name of the Impacted instance
- Click
Editin the toolbar- Under SSH Keys, go to the
Block project-wide SSH keyscheckbox- To block users with project-wide SSH keys from connecting to this instance, select
Block project-wide SSH keys- Click
Saveat the bottom of the page- Repeat steps for every impacted Instance
From Google Cloud CLIβ
To block project-wide public SSH keys, set the metadata value to
TRUE:gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 4.3 Ensure βBlock Project-Wide SSH Keysβ Is Enabled for VM Instances - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 43 |