GCP-VM-instances-have-block-project-wide-SSH-keys-feature-disabled
- naveen
Severity: High
Description: This control ensures that Block Project-wide SSH keys is enabled for Non-windows/Non-GKE VM instances. It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.
Remediation Steps:
To ensure Block Project-wide SSH keys is enabled for VM instances:
GCP Console:
Sign in to GCP Console https://console.cloud.google.com.
Go to VM Instances in Compute Engine.
Click on the Instances and click Edit.
Mark the check box for Block project-wide SSH keys available under SSH Keys.
Click Save.
gcloud command-line tool:
Block project-wide public SSH keys, set the metadata value to true:
gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=trueWhere [INSTANCE_NAME] is the name of the instance that you want to block project-wide public SSH keys
Important:
Remediation may deny access to Compute VM Instance for the users, who are using Project-wide SSH keys to access it.
Reference:
CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #4.3
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Blue Hexagon Proprietary