---
title: Project-wide SSH keys are enabled in VM instances
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Project-wide SSH keys are enabled in VM
  instances
---

# Project-wide SSH keys are enabled in VM instances

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-project-wide-ssh-keys-are-enabled-in-vm-instances` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Secret Management

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html)

### Description{% #description %}

VM instances should block project-wide SSH keys. This prevents SSH keys defined at the project level from granting access to individual instances, reducing the risk of unintended or persistent SSH access and lateral movement if project metadata or keys are compromised.

For Ansible resources using `google.cloud.gcp_compute_instance` or `gcp_compute_instance`, ensure the `metadata.block-project-ssh-keys` property is defined and set to `true`. Resources that omit the `metadata` map, omit the `block-project-ssh-keys` key, or set it to `false` are flagged.

Secure configuration example for an Ansible task:

```yaml
- name: Create VM with project-wide SSH keys blocked
  google.cloud.gcp_compute_instance:
    name: my-instance
    machine_type: e2-medium
    metadata:
      block-project-ssh-keys: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: ssh_keys_blocked
  google.cloud.gcp_compute_instance:
    name: ssh-keys-blocked-instance
    metadata:
      block-project-ssh-keys: yes
    zone: us-central1-a
    auth_kind: serviceaccount
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: ssh_keys_unblocked
  google.cloud.gcp_compute_instance:
    name: ssh-keys-unblocked-instance
    metadata:
      block-project-ssh-keys: no
    zone: us-central1-a
    auth_kind: serviceaccount
- name: ssh_keys_missing
  google.cloud.gcp_compute_instance:
    name: ssh-keys-missing-instance
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount
- name: no_metadata
  google.cloud.gcp_compute_instance:
    name: no-metadata-instance
    zone: us-central1-a
    auth_kind: serviceaccount
```