GCP project-wide SSH keys block removed
Description
AlphaSOC detected the removal of the "block-project-ssh-keys" metadata from a Google Compute Engine instance. This setting, when enabled, prevents project-wide SSH keys from accessing the instance. Removing this block allows all project-wide SSH keys to authenticate to the instance, significantly increasing the attack surface if any project-wide keys are compromised.
Impact
Removing the SSH key block expands the authentication scope of the instance to include all project-wide SSH keys. If an attacker has compromised any project-wide SSH key, they can now access this instance. This increases the blast radius of credential compromises and may indicate preparation for lateral movement or persistent access establishment.
Severity
| Severity | Condition |
|---|---|
Informational | Project-wide SSH keys block removed |
Investigation and Remediation
Verify the identity that removed the SSH key block and confirm the action was authorized. Review the project-wide SSH keys to ensure they are all legitimate and properly secured. Consider re-enabling the block unless there is a specific business requirement. Audit recent SSH access to the instance and investigate any unusual access patterns.
Known False Positives
- Legitimate configuration changes during instance provisioning
- Administrators temporarily enabling project-wide access for maintenance
- Migration or automation scripts that require broader SSH access