Project-wide SSH keys are allowed Affecting Compute Engine service in Google
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Keys and Secrets/ Secure Login
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCIS-GoogleHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00379
- creditSnyk Research Team
Description
Project-wide SSH keys for Compute Engine instances may be easier to manage than instance-specific SSH keys, but if compromised, present increase security risk to all instances within a given project. Note that if OS Login is enabled, SSH keys in instance metadata are ignored, so blocking project-wide SSH keys is not necessary.
How to fix?
Set metadata.block-project-ssh-keys attribute to true.
Example Configuration
resource "google_compute_instance" "allowed" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
metadata = {
block-project-ssh-keys = true
}
}