More Info:

Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using GCP console, you can follow the below steps:
  1. Login to the GCP console and select the project where the instance is running.
  2. In the left navigation menu, select “Compute Engine” and then click on “VM instances”.
  3. Select the instance for which you want to remediate the misconfiguration.
  4. Click on “Edit” button at the top of the page.
  5. Scroll down to the “SSH Keys” section and click on “Show and edit”.
  6. Remove any public SSH keys that are not specific to the instance.
  7. Add new SSH keys that are specific to the instance by clicking on “Add item” and pasting the public key in the text box.
  8. Click on “Save” to save the changes.
By following these steps, you have successfully remediated the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using GCP console.

To remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP console.
  2. Check the current SSH keys in your project using the following command:
gcloud compute os-login ssh-keys list
  1. Identify the SSH keys that are not instance-specific and remove them using the following command:
gcloud compute os-login ssh-keys remove --key-file=<path-to-key-file>
  1. Create a new instance-specific SSH key using the following command:
ssh-keygen -t rsa -f ~/.ssh/<key-file-name> -C <comment>
  1. Add the new SSH key to your project using the following command:
gcloud compute os-login ssh-keys add --key-file=<path-to-key-file>
  1. Create a new instance in GCP and specify the new SSH key as the metadata for the instance.
  2. Connect to the new instance using the new instance-specific SSH key.
By following these steps, you can remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI.
To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python, you can follow the below steps:
  1. First, you need to create a new SSH key pair for the instance. You can use the paramiko library in Python to generate an SSH key pair.
    import paramiko
    
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect('instance-ip-address', username='username', password='password')
    ssh.exec_command('ssh-keygen -t rsa')
    
  2. Once you have generated the SSH key pair, you need to add the public key to the instance’s metadata. You can use the google-auth and google-api-python-client libraries in Python to interact with GCP APIs.
    from google.oauth2 import service_account
    from googleapiclient.discovery import build
    
    credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
    
    compute = build('compute', 'v1', credentials=credentials)
    
    project_id = 'your-project-id'
    zone = 'instance-zone'
    instance_name = 'instance-name'
    
    instance = compute.instances().get(project=project_id, zone=zone, instance=instance_name).execute()
    
    metadata = instance['metadata']
    items = metadata.get('items', [])
    
    # Remove any existing SSH keys
    items = [item for item in items if item['key'] != 'ssh-keys']
    
    # Add the new SSH key
    ssh_key = 'ssh-rsa <public-key> instance-specific-key'
    items.append({'key': 'ssh-keys', 'value': ssh_key})
    
    # Update the instance metadata
    metadata['items'] = items
    compute.instances().setMetadata(project=project_id, zone=zone, instance=instance_name, body={'metadata': metadata}).execute()
    
  3. Finally, you can test the new SSH key by connecting to the instance using the private key.
    ssh.connect('instance-ip-address', username='username', key_filename='/path/to/private/key')
    
By following these steps, you can remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python.

Additional Reading: