Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "Block Project-Wide SSH Keys" Security Feature

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ComputeEngine-009

Ensure that your Google Compute Engine instances are configured to ignore GCP project-wide (shared) public SSH keys and use instance-level SSH keys instead.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Project-wide SSH keys can be used to log in to all the Google Cloud VM instances running inside a GCP project. The project-wide SSH keys can ease the SSH key management but if compromised, they pose a security risk which can impact all the VM instances within the project, therefore it is strongly recommended to use instance specific SSH keys as these keys can limit the attack surface if they are compromised. By default, the "Block Project-Wide SSH Keys" security feature is not enabled for Google Compute Engine instances.

Note: VM Instances created by Google Kubernetes Engine (GKE) are excluded from this recommendation due to differences in the available settings.

Audit

To determine if your virtual machine (VM) instances are using common/shared project-wide SSH keys instead of instance specific SSH keys, perform the following operations:

Note: VM Instances created by Google Kubernetes Engine (GKE) are excluded from this recommendation. Instances provisioned by GKE service have names that start with "gke-" and are labeled "goog-gke-node".

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Block project-wide SSH keys configuration setting status. If the Block project-wide SSH keys setting is disabled, the selected Google Compute Engine instance is configured to use project-wide (shared) public SSH keys instead of instance-level SSH keys.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-frontend-vm-instance   us-central1-a
cc-backend-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the Block Project-Wide SSH Keys feature status, configured for the selected VM instance: 

gcloud compute instances describe cc-frontend-vm-instance
	--zone us-central1-a
	--format="json(metadata.items)"

06 The command output should return the requested feature configuration status: 

null

If the compute instances describe command output returns null, as shown in the example above, the Block Project-Wide SSH Keys feature is not enabled, therefore the selected Google Compute Engine instance is using project-wide (shared) public SSH keys instead of instance-level SSH keys.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Block Project-Wide SSH Keys security feature and block users with common/shared project-wide SSH keys from connecting to your Google Cloud VM instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure.

06 On the selected resource configuration page, click EDIT to enter the edit mode.

07 Select Block project-wide SSH keys setting checkbox to enable the Block Project-Wide SSH Keys feature.

08 Under SSH Keys, click Show and edit to display all the instance-level public SSH keys available for the selected Google Cloud VM instance. If there are no instance-level SSH keys already defined, paste the contents of your public SSH key file into the Enter public SSH key text box and click Add item. Repeat this step for each public SSH key that you want to assign to your instance.

09 Click Save to apply the configuration changes.

10 If required, repeat steps no. 5 – 9 to reconfigure other virtual machine instances created within the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances add-metadata command (Windows/macOS/Linux) using the name and the zone of the instance that you want to reconfigure as identifier (see Audit section part II to identify the right resource), to enable the Block Project-Wide SSH Keys feature for the selected Google Compute Engine instance: 

gcloud compute instances add-metadata cc-frontend-vm-instance
	--zone us-central1-a
	--metadata block-project-ssh-keys=TRUE

02 The command output should return the URL of the reconfigured VM instance: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

03 Paste the contents of the public SSH key that you want to assign to your VM instance into a text file named instance-ssh-key.txt. The text file should have the following format: 

<user-name>:ssh-rsa <ssh-public-key> <user-name>

04 Execute compute instances add-metadata command (Windows/macOS/Linux) using the text file defined at the previous step as value for the --metadata-from-file parameter, to assign the specified instance-level public SSH key to the selected Google Compute Engine instance: 

gcloud compute instances add-metadata cc-frontend-vm-instance
	--zone us-central1-a
	--metadata-from-file ssh-keys=instance-level-ssh-key.txt

05 The command output should return the URL of the reconfigured VM instance: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

06 If required, repeat steps no. 1 – 5 to reconfigure other virtual machine instances available within the selected project.

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account

References

Publication date Mar 12, 2020

Related ComputeEngine rules