More Info:
Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCP, CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using GCP console, you can follow the below steps:
- Login to the GCP console and select the project where the instance is running.
- In the left navigation menu, select “Compute Engine” and then click on “VM instances”.
- Select the instance for which you want to remediate the misconfiguration.
- Click on “Edit” button at the top of the page.
- Scroll down to the “SSH Keys” section and click on “Show and edit”.
- Remove any public SSH keys that are not specific to the instance.
- Add new SSH keys that are specific to the instance by clicking on “Add item” and pasting the public key in the text box.
- Click on “Save” to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP console.
- Check the current SSH keys in your project using the following command:
- Identify the SSH keys that are not instance-specific and remove them using the following command:
- Create a new instance-specific SSH key using the following command:
- Add the new SSH key to your project using the following command:
- Create a new instance in GCP and specify the new SSH key as the metadata for the instance.
- Connect to the new instance using the new instance-specific SSH key.
Using Python
Using Python
To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python, you can follow the below steps:
-
First, you need to create a new SSH key pair for the instance. You can use the
paramiko
library in Python to generate an SSH key pair. -
Once you have generated the SSH key pair, you need to add the public key to the instance’s metadata. You can use the
google-auth
andgoogle-api-python-client
libraries in Python to interact with GCP APIs. -
Finally, you can test the new SSH key by connecting to the instance using the private key.