Compute instance ‘block-project-ssh-keys’ should be enabled¶
Description¶
Project-wide SSH keys for Compute Engine instances may be easier to manage than instance-specific SSH keys, but if compromised, present increase security risk to all instances within a given project. Given this, using instance-specific SSH keys is the more secure approach. Please note that if OS Login is enabled, SSH keys in instance metadata are ignored, so blocking project-wide SSH keys is not necessary.
Remediation Steps¶
Google Cloud Console¶
Navigate to VM instances.
Click on the instance name to go to the VM instance details page.
Click STOP if the instance is running, and then click EDIT.
Under SSH Keys, ensure Block project-wide SSH keys is enabled.
Click Save and then click START.
gcloud CLI¶
Stop the Compute Engine instance:
gcloud compute instances stop INSTANCE_NAME
Update the Compute Engine instance metadata to block project-wide public SSH keys:
gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project- ssh-keys=TRUE
Restart the Compute Engine instance:
gcloud compute instances start INSTANCE_NAME