- 필수 기능
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- 디지털 경험
- 소프트웨어 제공
- 보안
- 로그 관리
- 관리
- 인프라스트럭처
- ci
- containers
- csm
- ndm
- otel_guides
- overview
- slos
- synthetics
- tests
- 워크플로
Datadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.
Project-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.
Users already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.
To block project-wide public SSH keys, set the metadata value to true using gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE
.
By default, Block Project-wide SSH keys is not enabled.
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys https://cloud.google.com/sdk/gcloud/reference/topic/formats
If OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.