GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
SSH Keys Should Be Instance Specific
More Info:
Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using GCP console, you can follow the below steps:
- Login to the GCP console and select the project where the instance is running.
- In the left navigation menu, select “Compute Engine” and then click on “VM instances”.
- Select the instance for which you want to remediate the misconfiguration.
- Click on “Edit” button at the top of the page.
- Scroll down to the “SSH Keys” section and click on “Show and edit”.
- Remove any public SSH keys that are not specific to the instance.
- Add new SSH keys that are specific to the instance by clicking on “Add item” and pasting the public key in the text box.
- Click on “Save” to save the changes.
By following these steps, you have successfully remediated the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using GCP console.
To remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP console.
-
Check the current SSH keys in your project using the following command:
gcloud compute os-login ssh-keys list
- Identify the SSH keys that are not instance-specific and remove them using the following command:
gcloud compute os-login ssh-keys remove --key-file=<path-to-key-file>
- Create a new instance-specific SSH key using the following command:
ssh-keygen -t rsa -f ~/.ssh/<key-file-name> -C <comment>
- Add the new SSH key to your project using the following command:
gcloud compute os-login ssh-keys add --key-file=<path-to-key-file>
-
Create a new instance in GCP and specify the new SSH key as the metadata for the instance.
-
Connect to the new instance using the new instance-specific SSH key.
By following these steps, you can remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI.
To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python, you can follow the below steps:
-
First, you need to create a new SSH key pair for the instance. You can use the
paramikolibrary in Python to generate an SSH key pair.import paramiko ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('instance-ip-address', username='username', password='password') ssh.exec_command('ssh-keygen -t rsa') -
Once you have generated the SSH key pair, you need to add the public key to the instance’s metadata. You can use the
google-authandgoogle-api-python-clientlibraries in Python to interact with GCP APIs.from google.oauth2 import service_account from googleapiclient.discovery import build credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json') compute = build('compute', 'v1', credentials=credentials) project_id = 'your-project-id' zone = 'instance-zone' instance_name = 'instance-name' instance = compute.instances().get(project=project_id, zone=zone, instance=instance_name).execute() metadata = instance['metadata'] items = metadata.get('items', []) # Remove any existing SSH keys items = [item for item in items if item['key'] != 'ssh-keys'] # Add the new SSH key ssh_key = 'ssh-rsa <public-key> instance-specific-key' items.append({'key': 'ssh-keys', 'value': ssh_key}) # Update the instance metadata metadata['items'] = items compute.instances().setMetadata(project=project_id, zone=zone, instance=instance_name, body={'metadata': metadata}).execute() -
Finally, you can test the new SSH key by connecting to the instance using the private key.
ssh.connect('instance-ip-address', username='username', key_filename='/path/to/private/key')
By following these steps, you can remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python.