VM Instance should block project-wide SSH keys

ID

gcp_projectwide_ssh_keys_enabled_in_vm_instances

Severity

low

Vendor

GCP

Resource

Secret Management

Tags

reachable

Description

Disabling block-project-ssh-keys for a compute instance allow project-wide public SSH keys to be used for connecting to that instance. This can be a security risk as other project members could access the instance.

To fix it, you must configure the metadata.block-project-ssh-keys property to yes.

Learn more about this topic at Create a VPC-native cluster.

Examples

---
- name: vm
  google.cloud.gcp_compute_instance:
    metadata:
      block-project-ssh-keys: no
    zone: us-central1-a
    auth_kind: serviceaccount

Mitigation / Fix

---
- name: vm
  google.cloud.gcp_compute_instance:
    metadata:
      block-project-ssh-keys: yes
    zone: us-central1-a
    auth_kind: serviceaccount