Guides
  1. google policies
  2. Virtual Machine Instances

Ensure Compute Instances Are Launched With Shielded VM Enabled

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have shieldedInstanceConfig.enableIntegrityMonitoring=true

REMEDIATION

From Portal

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click on the instance name to see its VM instance details page.
  3. Click STOP to stop the instance.
  4. When the instance has stopped, click EDIT.
  5. In the Shielded VM section, select Turn on vTPM and Turn on Integrity Monitoring.
  6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select Turn on Secure Boot.
  7. Click the Save button to modify the instance and then click START to restart it.

From TF
set the 'enable_integrity_monitoring' and 'enable_vtpm' to be 'true':

resource 'google_compute_instance' 'default' {
	...
boot_disk {}
	shielded_instance_config {
		enable_integrity_monitoring = true
		enable_vtpm                 = true
	}
}

From Command Line
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:

gcloud compute images list --project gce-uefi-images --no-standard-images
  1. Stop the instance:
gcloud compute instances stop INSTANCE_NAME
  1. Update the instance:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vm-integrity-monitoring
  1. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot:
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
  1. Restart the instance:
gcloud compute instances start INSTANCE_NAME

References

  1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm
  2. https://cloud.google.com/shielded-vm
  3. https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP Security Risk Management

Updated 7 months ago