users.sshPublicKeys.patch
GCP
users.sshPublicKeys.patch
Event
Updates an existing SSH public key in a user’s GCP OS Login profile.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
This API does not produce audit logs. Per Google’s OS Login documentation,
UpdateSshPublicKeyis on the explicit list of methods that do not generate Cloud Audit Log entries. The non-loggability IS the security story: defenders cannot directly observe this API call.Compensating controls:
- Periodically poll
getLoginProfilefor each user and diff the SSH public-key fingerprints.- Monitor VM-side
sshdauthentication logs for unexpected key fingerprints.- Enforce an organization policy that disables OS Login key uploads outside approved workflows.
No sample JSON is available because Google does not log this operation.
MITRE ATT&CK Mapping
Tactics: Persistence Lateral Movement
Techniques:
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.