Instances should use instance-specific SSH keys instead of project-wide keys

Description

Datadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.

Rationale

Project-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.

Impact

Users already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.

Remediation

From Console

  1. In the Google Cloud Console, navigate to VM Instances page, which lists all instances in your project.
  2. Click on the impacted instance name.
  3. Click Edit in the toolbar.
  4. To block users with project-wide SSH keys from connecting to this instance, select Block project-wide SSH keys under SSH Keys.
  5. Click Save at the bottom of the page.
  6. Repeat these steps for every impacted instance.

From Command Line

To block project-wide public SSH keys, set the metadata value to true using gcloud compute instances add-metadata <INSTANCE_NAME> --metadata block-project-ssh-keys=TRUE.

Default Value

By default, Block Project-wide SSH keys is not enabled.

References

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys https://cloud.google.com/sdk/gcloud/reference/topic/formats

Additional Information

If OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.