Quick Info
| Plugin Title | Instance Level SSH Only |
| Cloud | |
| Category | Compute |
| Description | Ensures that instances are not configured to allow project-wide SSH keys |
| More Info | To support the principle of least privilege and prevent potential privilege escalation it is recommended that instances are not give access to project-wide SSH keys through instance metadata. |
| GOOGLE Link | https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys |
| Recommended Action | Ensure project-wide SSH keys are blocked for all instances. |
Detailed Remediation Steps
- Log into the Google Cloud Platform Console.
- Scroll down the left navigation panel and choose the “Compute Engine” to select the “VM Instances” option.
- On the “VM Instances” page, select the VM instance which needs to be verified.
- On the “VM instance details” page, scroll down and check “Block project-wide SSH keys” is enabled or not for VM instances.
- Repeat steps number 2 - 4 to verify other VM instances in the network.
- Navigate to “Compute Engine”, choose the “VM instances” and select the “VM instance” which needs to enable “Block project-wide SSH keys” for VM instances.
- On the “VM instance details” page, select the “Edit” button at the top.
- On the “VM instance details - Edit page”, select the checkbox next to “Block project-wide SSH keys."
- Click on the “Save” button to make the changes.
- Repeat steps number 6 - 9 to ensure project-wide SSH keys are blocked for all instances.