MEDIUM
Source
Trivy/CSPM
CSPM ID
instance-level-ssh-only
ID
AVD-GCP-0030

Disable project-wide SSH keys for all instances

Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys.

Impact

Compromise of a single key pair compromises all instances

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Google Cloud Platform Console.

  2. Scroll down the left navigation panel and choose the “Compute Engine” to select the “VM Instances” option. Step

  3. On the “VM Instances” page, select the VM instance which needs to be verified. Step

  4. On the “VM instance details” page, scroll down and check “Block project-wide SSH keys” is enabled or not for VM instances.Step

  5. Repeat steps number 2 - 4 to verify other VM instances in the network.

  6. Navigate to “Compute Engine”, choose the “VM instances” and select the “VM instance” which needs to enable “Block project-wide SSH keys” for VM instances.Step

  7. On the “VM instance details” page, select the “Edit” button at the top.Step

  8. On the “VM instance details - Edit page”, select the checkbox next to “Block project-wide SSH keys.”Step

  9. Click on the “Save” button to make the changes.Step

  10. Repeat steps number 6 - 9 to ensure project-wide SSH keys are blocked for all instances.

Disable project-wide SSH keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 resource "google_service_account" "default" {
   account_id   = "service_account_id"
   display_name = "Service Account"
 }
 
 resource "google_compute_instance" "default" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"
 
   tags = ["foo", "bar"]
 
   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }
 
   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }
 
   network_interface {
     network = "default"
 
     access_config {
       // Ephemeral IP
     }
   }
 
   metadata = {
     block-project-ssh-keys = true
   }
 
   metadata_startup_script = "echo hi > /test.txt"
 
   service_account {
     # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     email  = google_service_account.default.email
     scopes = ["cloud-platform"]
   }
 }