Ensure that your Google Compute Engine instances are configured to ignore GCP project-wide (shared) public SSH keys and use instance-level SSH keys instead.
Project-wide SSH keys can be used to log in to all the Google Cloud VM instances running inside a GCP project. The project-wide SSH keys can ease the SSH key management but if compromised, they pose a security risk which can impact all the VM instances within the project, therefore it is strongly recommended to use instance specific SSH keys as these keys can limit the attack surface if they are compromised. By default, the "Block Project-Wide SSH Keys" security feature is not enabled for Google Compute Engine instances.
To determine if your virtual machine (VM) instances are using common/shared project-wide SSH keys instead of instance specific SSH keys, perform the following operations:
Remediation / Resolution
To enable Block Project-Wide SSH Keys security feature and block users with common/shared project-wide SSH keys from connecting to your Google Cloud VM instances, perform the following operations:
- CIS Security Documentation
- Securing Google Cloud Computing Platform
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable "Block Project-Wide SSH Keys" Security Feature
Risk level: Medium