Enable "Block Project-Wide SSH Keys" Security Feature

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Block project-wide SSH keys configuration setting status. If the Block project-wide SSH keys setting is disabled, the selected Google Compute Engine instance is configured to use project-wide (shared) public SSH keys instead of instance-level SSH keys.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-frontend-vm-instance   us-central1-a
cc-backend-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the Block Project-Wide SSH Keys feature status, configured for the selected VM instance:

gcloud compute instances describe cc-frontend-vm-instance
	--zone us-central1-a
	--format="json(metadata.items)"

06 The command output should return the requested feature configuration status:

null

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure.

06 On the selected resource configuration page, click EDIT to enter the edit mode.

07 Select Block project-wide SSH keys setting checkbox to enable the Block Project-Wide SSH Keys feature.

08 Under SSH Keys, click Show and edit to display all the instance-level public SSH keys available for the selected Google Cloud VM instance. If there are no instance-level SSH keys already defined, paste the contents of your public SSH key file into the Enter public SSH key text box and click Add item. Repeat this step for each public SSH key that you want to assign to your instance.

09 Click Save to apply the configuration changes.

10 If required, repeat steps no. 5 – 9 to reconfigure other virtual machine instances created within the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

01 Run compute instances add-metadata command (Windows/macOS/Linux) using the name and the zone of the instance that you want to reconfigure as identifier (see Audit section part II to identify the right resource), to enable the Block Project-Wide SSH Keys feature for the selected Google Compute Engine instance:

gcloud compute instances add-metadata cc-frontend-vm-instance
	--zone us-central1-a
	--metadata block-project-ssh-keys=TRUE

02 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

03 Paste the contents of the public SSH key that you want to assign to your VM instance into a text file named instance-ssh-key.txt. The text file should have the following format:

<user-name>:ssh-rsa <ssh-public-key> <user-name>

04 Execute compute instances add-metadata command (Windows/macOS/Linux) using the text file defined at the previous step as value for the --metadata-from-file parameter, to assign the specified instance-level public SSH key to the selected Google Compute Engine instance:

gcloud compute instances add-metadata cc-frontend-vm-instance
	--zone us-central1-a
	--metadata-from-file ssh-keys=instance-level-ssh-key.txt

05 The command output should return the URL of the reconfigured VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

06 If required, repeat steps no. 1 – 5 to reconfigure other virtual machine instances available within the selected project.

07 Repeat steps no. 1 – 6 for each GCP project deployed in your Google Cloud account