Ensure GCP VM instances have block project-wide SSH keys feature enabled

Error: GCP VM instances have block project-wide SSH keys feature disabled

Bridgecrew Policy ID: BC_GCP_NETWORKING_8
Checkov Check ID: CKV_GCP_32
Severity: HIGH

GCP VM instances have block project-wide SSH keys feature disabled

Description

Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide SSH keys can be used to login into all instances within a project. Using project-wide SSH keys eases SSH key management. If SSH keys are compromised, the potential security risk can impact all instances within a project.

We recommend you use Instance specific SSH keys instead of common/shared project-wide SSH key(s), to limit the attack surface should the SSH keys be compromised.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. List all the instances in your project.
  4. Click the name of the Impacted instance.
  5. Click Edit in the toolbar.
  6. Under SSH Keys, navigate to Block project-wide SSH keys .
  7. To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys.
  8. At the bottom of the page, click Save.

Repeat these steps for each impacted Instance.

CLI Command

To block project-wide public SSH keys, set the metadata value to TRUE using the following command:

gcloud compute instances add-metadata INSTANCE_NAME 
--metadata block-projectssh-keys=TRUE

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Field: metadata
  • Argument: block-project-ssh-keys
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  metadata = {
+     block-project-ssh-keys = true
  }
}

Did this page help you?