Project-wide SSH keys are allowed Affecting Compute Engine service in Google

Severity Framework Snyk CCSS

Rule category Keys and Secrets / Secure Login

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00379
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Project-wide SSH keys for Compute Engine instances may be easier to manage than instance-specific SSH keys, but if compromised, present increase security risk to all instances within a given project. Note that if OS Login is enabled, SSH keys in instance metadata are ignored, so blocking project-wide SSH keys is not necessary.

How to fix?

Set metadata.block-project-ssh-keys attribute to true.

Example Configuration

resource "google_compute_instance" "allowed" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"

  metadata = {
    block-project-ssh-keys = true
  }
}

Terraform

Resource: google_compute_instance

References

Restrict SSH keys from VMs