Project-wide SSH Keys Are Enabled In VM Instances

  • Query id: 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811
  • Query name: Project-wide SSH Keys Are Enabled In VM Instances
  • Platform: GoogleDeploymentManager
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

VM Instance should block project-wide SSH keys
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
resources:
  - name: vm
    type: compute.v1.instance
    properties:
      description: my-vm
Postitive test num. 2 - yaml file
resources:
  - name: vm
    type: compute.v1.instance
    properties:
      description: my-vm
      metadata:
        fingerprint: fingerprint
        items:
          - key: my-key
            value: true
          - key: my-key-2
            value: false
Postitive test num. 3 - yaml file
resources:
  - name: vm
    type: compute.v1.instance
    properties:
      description: my-vm
      metadata:
        fingerprint: fingerprint
        items:
          - key: my-key
            value: true
          - key: block-project-ssh-keys
            value: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
resources:
  - name: vm
    type: compute.v1.instance
    properties:
      description: my-vm
      metadata:
        fingerprint: fingerprint
        items:
          - key: my-key
            value: true
          - key: block-project-ssh-keys
            value: true