SSH Keys Should Be Instance Specific

More Info:

Instances should not be configured to allow project-wide SSH keys. To support the principle of least privilege and prevent potential privilege escalation, instances should not be given access to project-wide SSH keys.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP console.
Check the current SSH keys in your project using the following command:

gcloud compute os-login ssh-keys list

Identify the SSH keys that are not instance-specific and remove them using the following command:

gcloud compute os-login ssh-keys remove --key-file=<path-to-key-file>

Create a new instance-specific SSH key using the following command:

ssh-keygen -t rsa -f ~/.ssh/<key-file-name> -C <comment>

Add the new SSH key to your project using the following command:

gcloud compute os-login ssh-keys add --key-file=<path-to-key-file>

Create a new instance in GCP and specify the new SSH key as the metadata for the instance.
Connect to the new instance using the new instance-specific SSH key.

By following these steps, you can remediate the misconfiguration of SSH keys not being instance-specific in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python, you can follow the below steps:

First, you need to create a new SSH key pair for the instance. You can use the paramiko library in Python to generate an SSH key pair.

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('instance-ip-address', username='username', password='password')
ssh.exec_command('ssh-keygen -t rsa')

Once you have generated the SSH key pair, you need to add the public key to the instance’s metadata. You can use the google-auth and google-api-python-client libraries in Python to interact with GCP APIs.

from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')

compute = build('compute', 'v1', credentials=credentials)

project_id = 'your-project-id'
zone = 'instance-zone'
instance_name = 'instance-name'

instance = compute.instances().get(project=project_id, zone=zone, instance=instance_name).execute()

metadata = instance['metadata']
items = metadata.get('items', [])

# Remove any existing SSH keys
items = [item for item in items if item['key'] != 'ssh-keys']

# Add the new SSH key
ssh_key = 'ssh-rsa <public-key> instance-specific-key'
items.append({'key': 'ssh-keys', 'value': ssh_key})

# Update the instance metadata
metadata['items'] = items
compute.instances().setMetadata(project=project_id, zone=zone, instance=instance_name, body={'metadata': metadata}).execute()

Finally, you can test the new SSH key by connecting to the instance using the private key.
```
ssh.connect('instance-ip-address', username='username', key_filename='/path/to/private/key')
```

By following these steps, you can remediate the misconfiguration “SSH Keys Should Be Instance Specific” for GCP using Python.

Additional Reading:

https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

SSH Keys Should Be Instance Specific

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: