Explanation:

GCP SCC Detects that a SSH Key has been added to the GCE resources as admin.

In Solvay, all access to the GCE has to be via the IAP proxy.



Resolution:

Further investigation is required to ensure the key is generated by Google IAP instead of the user manually add the SSH Key into the instance.

This can be either an expected or unexpected action.
The GCP Security team will need to evaluate based on the actions below:

ActionsFollow up

Check in the GCE instance to see the SSH key if there is a google-ssh with expire date.
Example:

ecdsa-sha2-nistp256 xxx+a/5M3GgK2nhJQydSeE5AY= google-ssh {"userName":"xxx.xxx@solvay.com","expireOn":"2022-03-30T10:18:39+0000"}


Not successful - End the investigation with unexpected action.

Successful - End the investigation with expected action.

See the table below for recommended action after investigation.

Yes / NoAction
Yes, it is expectedUpdate the JIRA ticket to be "False positive - This is google generated ssh key".
No, it is not expected

User is using ssh key to access the GCE. Escalate to cloudops team to:

  1. Contact user to use IAP Desktop to access the GCE instead.
    1. Make sure IAM has granted the user the "IAP Secured tunnel user" or Solvay Custom Role "VM Engineer".
  2. Check if GCP console → Compute Engine → Metadata, enable-oslogin is set to true.



Pattern:

{
	"gceInstanceId": "1233xxx",
	"projectId": "xxx",
	"metadataKeyOperation": "MODIFIED",
	"principalEmail": "xxx@solvay.com",
	"callerIp": "xx.xx.xx.xx",
	"callerUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36,gzip(gfe)"
}