VM instance has Block project-wide SSH keys enabled
compute_instance_block_project_wide_ssh_keys_disabled
Compute Engine VMs are evaluated for the metadata key block-project-ssh-keys set to true, indicating project-wide SSH keys are blocked and only instance-level or OS Login credentials are honored.
Risk
Allowing project-wide SSH keys lets a single compromised key reach many VMs, amplifying blast radius. This endangers confidentiality (data exposure) and integrity (unauthorized changes) and enables lateral movement. Per-instance revocation and accountability are weakened.
prowler gcp --checks compute_instance_block_project_wide_ssh_keys_disabled
Recommendation
Set block-project-ssh-keys=true to prevent shared key inheritance. Prefer OS Login or instance-specific keys, enforce least privilege and separation of duties for metadata changes, use short-lived credentials with rotation, limit direct SSH, and monitor access for anomalies.
Remediation
gcloud compute instances add-metadata <INSTANCE_NAME> --zone <ZONE> --metadata=block-project-ssh-keys=true
- In Google Cloud Console, go to Compute Engine > VM instances
- Click the target VM and then click Edit
- Under Custom metadata, click Add item
- Key: block-project-ssh-keys, Value: true
- Click Save
Source Code
Resource Type
compute.googleapis.com/Instance