Aqua CSPM

Instance Level SSH Only

Quick Info

Plugin TitleInstance Level SSH Only
CloudGOOGLE
CategoryCompute
DescriptionEnsures that instances are not configured to allow project-wide SSH keys
More InfoTo support the principle of least privilege and prevent potential privilege escalation it is recommended that instances are not give access to project-wide SSH keys through instance metadata.
GOOGLE Linkhttps://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Recommended ActionEnsure project-wide SSH keys are blocked for all instances.

Detailed Remediation Steps

  1. Log into the Google Cloud Platform Console.
  2. Scroll down the left navigation panel and choose the “Compute Engine” to select the “VM Instances” option.
  3. On the “VM Instances” page, select the VM instance which needs to be verified.
  4. On the “VM instance details” page, scroll down and check “Block project-wide SSH keys” is enabled or not for VM instances.
  5. Repeat steps number 2 - 4 to verify other VM instances in the network.
  6. Navigate to “Compute Engine”, choose the “VM instances” and select the “VM instance” which needs to enable “Block project-wide SSH keys” for VM instances.
  7. On the “VM instance details” page, select the “Edit” button at the top.
  8. On the “VM instance details - Edit page”, select the checkbox next to “Block project-wide SSH keys."
  9. Click on the “Save” button to make the changes.
  10. Repeat steps number 6 - 9 to ensure project-wide SSH keys are blocked for all instances.