Instances should use instance-specific SSH keys instead of project-wide keys
Description
Datadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.
Rationale
Project-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.
Impact
Users already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.
From Console
- In the Google Cloud Console, navigate to VM Instances page, which lists all instances in your project.
- Click on the impacted instance name.
- Click Edit in the toolbar.
- To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys under SSH Keys.
- Click Save at the bottom of the page.
- Repeat these steps for every impacted instance.
From Command Line
To block project-wide public SSH keys, set the metadata value to true using gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE
.
Default Value
By default, Block Project-wide SSH keys is not enabled.
References
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
https://cloud.google.com/sdk/gcloud/reference/topic/formats
If OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.