Project-wide SSH Keys Are Enabled In VM Instances

  • Query id: 099b4411-d11e-4537-a0fc-146b19762a79
  • Query name: Project-wide SSH Keys Are Enabled In VM Instances
  • Platform: Ansible
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

VM Instance should block project-wide SSH keys
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: ssh_keys_unblocked
  google.cloud.gcp_compute_instance:
    metadata:
      block-project-ssh-keys: no
    zone: us-central1-a
    auth_kind: serviceaccount
- name: ssh_keys_missing
  google.cloud.gcp_compute_instance:
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount
- name: no_metadata
  google.cloud.gcp_compute_instance:
    zone: us-central1-a
    auth_kind: serviceaccount

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: ssh_keys_blocked
  google.cloud.gcp_compute_instance:
    metadata:
      block-project-ssh-keys: yes
    zone: us-central1-a
    auth_kind: serviceaccount