Compute instance ‘block-project-ssh-keys’ should be enabled


Project-wide SSH keys for Compute Engine instances may be easier to manage than instance-specific SSH keys, but if compromised, present increase security risk to all instances within a given project. Given this, using instance-specific SSH keys is the more secure approach. Please note that if OS Login is enabled, SSH keys in instance metadata are ignored, so blocking project-wide SSH keys is not necessary.

Remediation Steps

Google Cloud Console

  • Navigate to VM instances.

  • Click on the instance name to go to the VM instance details page.

  • Click STOP if the instance is running, and then click EDIT.

  • Under SSH Keys, ensure Block project-wide SSH keys is enabled.

  • Click Save and then click START.

gcloud CLI

  • Stop the Compute Engine instance:

    • gcloud compute instances stop INSTANCE_NAME

  • Update the Compute Engine instance metadata to block project-wide public SSH keys:

    • gcloud compute instances add-metadata INSTANCE_NAME --metadata block-project- ssh-keys=TRUE

  • Restart the Compute Engine instance:

    • gcloud compute instances start INSTANCE_NAME