Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: Ensure 'Block Project-wide SSH keys' is enabled for VM instances

Description

It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.compute_instance_block_project_wide_ssh_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.compute_instance_block_project_wide_ssh_enabled --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when name like 'gke-%' and labels ? 'goog-gke-node' then 'skip'
    when metadata -> 'items' @> '[{"key": "block-project-ssh-keys", "value": "true"}]' then 'ok'
    else 'alarm'
  end as status,
  case
    when name like 'gke-%' and labels ? 'goog-gke-node'
      then title || ' created by GKE.'
    when metadata -> 'items' @> '[{"key": "block-project-ssh-keys", "value": "true"}]'
      then title || ' has "Block Project-wide SSH keys" enabled.'
    else title || ' has "Block Project-wide SSH keys" disabled.'
  end as reason
  
  , location as location, project as project
from
  gcp_compute_instance;

Tags

category = Compliance
nist_800_53_rev_5 = true
nist_csf_v10 = true
nist_csf_v2 = true
plugin = gcp
service = GCP/Compute
soc_2_2017 = true