Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances

Project-wide SSH keys are stored in Compute/Project-meta-data. Project wide ssh keys can be used to login into all the instances within project. Using project-wide ssh keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project. It is recommended to use Instance specific SSH keys which can limit the attack surface in case of SSH keys getting compromised.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.02
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance where not (disks contain [ licenses contain [ $ like '%windows%' ] ]) should have metadata.items contain-any [ key='block-project-ssh-keys' and value regexMatch /TRUE/i ]

REMEDIATION

From Portal

  1. Go to the VM instances page using https://console.cloud.google.com/compute/instances
  2. Click on the name of the Impacted instance
  3. Click Edit in the toolbar
  4. Under SSH Keys, go to the Block project-wide SSH keys checkbox
  5. To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys
  6. Click Save at the bottom of the page
  7. Repeat steps for every impacted Instance

From TF
Set the filed 'block-project-ssh-keys' to be equal to 'true':

resource 'google_compute_instance' 'default' {
	..
	metadata = {
		block-project-ssh-keys = true
	}
	..
}

From Command Line
Run

gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project-ssh-keys=TRUE --zone ZONE_OF_INSTANCE

References

  1. https://cloud.google.com/sdk/gcloud/reference/compute/project-info/add-metadata
  2. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys#block-project-keys

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0
  • GCP Security Risk Management