Ensure Compute Instances Are Launched With Shielded VM Enabled

Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring. Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot. Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have shieldedInstanceConfig.enableIntegrityMonitoring=true

REMEDIATION

From Portal

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to see its VM instance details page.
  3. Click STOP to stop the instance.
  4. When the instance has stopped, click EDIT.
  5. In the Shielded VM section, select Turn on vTPM and Turn on Integrity Monitoring.
  6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select Turn on Secure Boot.
  7. Click the Save button to modify the instance and then click START to restart it.

From TF
set the 'enable_integrity_monitoring' and 'enable_vtpm' to be 'true':

resource 'google_compute_instance' 'default' {
	...
boot_disk {}
	shielded_instance_config {
		enable_integrity_monitoring = true
		enable_vtpm                 = true
	}
}

From Command Line
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:

gcloud compute images list --project gce-uefi-images --no-standard-images
  1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vm-integrity-monitoring
  1. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot:
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
  1. Restart the instance:
gcloud compute instances start INSTANCE_NAME

References

  1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm
  2. https://cloud.google.com/shielded-vm
  3. https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP Security Risk Management