Skip to content

no-project-wide-ssh-keys

Default Severity: medium

Explanation

Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys.

Possible Impact

Compromise of a single key pair compromises all instances

Suggested Resolution

Disable project-wide SSH keys

Insecure Example

The following example will fail the google-compute-no-project-wide-ssh-keys check.

 resource "google_service_account" "default" {
   account_id   = "service_account_id"
   display_name = "Service Account"
 }

 resource "google_compute_instance" "default" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   network_interface {
     network = "default"

     access_config {
       // Ephemeral IP
     }
   }

   metadata = {
     block-project-ssh-keys = false
   }

   metadata_startup_script = "echo hi > /test.txt"

   service_account {
     # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     email  = google_service_account.default.email
     scopes = ["cloud-platform"]
   }
 }

Secure Example

The following example will pass the google-compute-no-project-wide-ssh-keys check.

 resource "google_service_account" "default" {
   account_id   = "service_account_id"
   display_name = "Service Account"
 }

 resource "google_compute_instance" "default" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   network_interface {
     network = "default"

     access_config {
       // Ephemeral IP
     }
   }

   metadata = {
     block-project-ssh-keys = true
   }

   metadata_startup_script = "echo hi > /test.txt"

   service_account {
     # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
     email  = google_service_account.default.email
     scopes = ["cloud-platform"]
   }
 }