/
GCP-VM-instances-have-block-project-wide-SSH-keys-feature-disabled

GCP-VM-instances-have-block-project-wide-SSH-keys-feature-disabled

Severity: High

Description: This control ensures that Block Project-wide SSH keys is enabled for Non-windows/Non-GKE VM instances. It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

Remediation Steps:

To ensure Block Project-wide SSH keys is enabled for VM instances:

GCP Console:

  1. Sign in to GCP Console https://console.cloud.google.com.

  2. Go to VM Instances in Compute Engine.

  3. Click on the Instances and click Edit.

  4. Mark the check box for Block project-wide SSH keys available under SSH Keys.

  5. Click Save.

gcloud command-line tool:

Block project-wide public SSH keys, set the metadata value to true:

gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=true

Where [INSTANCE_NAME] is the name of the instance that you want to block project-wide public SSH keys

Important:

Remediation may deny access to Compute VM Instance for the users, who are using Project-wide SSH keys to access it.

Reference:

Related content

GCP-VM-instances-have-IP-Forwarding-enabled
GCP-VM-instances-have-IP-Forwarding-enabled
More like this
GCP-Log-metric-filter-and-alert-disable-for-VPC-Network-Firewall-rule-changes
GCP-Log-metric-filter-and-alert-disable-for-VPC-Network-Firewall-rule-changes
Read with this
GCP-Projects-have-OS-Login-disabled
GCP-Projects-have-OS-Login-disabled
More like this
GCP-VM-instance-configured-with-default-service-account
GCP-VM-instance-configured-with-default-service-account
Read with this
GCP-VM-Instances-Confidential-Computing-Disabled
GCP-VM-Instances-Confidential-Computing-Disabled
More like this
GCP-Storage-log-buckets-have-object-versioning-disabled
GCP-Storage-log-buckets-have-object-versioning-disabled
Read with this

Blue Hexagon Proprietary