Ensure compute instances launch with shielded VM enabled

Error: Compute instances launch without shielded VM enabled

Bridgecrew Policy ID: BC_GCP_GENERAL_3
Checkov Check ID: CKV_GCP_39
Severity: MEDIUM

Compute instances launch without shielded VM enabled

Description

Shielded VMs are virtual machines (VMs) on a Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. Shielded VM offers verifiable integrity on your Compute Engine VM instances, so you can be confident your instances have not been compromised by boot- or kernel-level malware or rootkits. The verifiable integrity of a Shielded VM is achieved through the use of Secure Boot and integrity monitoring, see below for further details.

We recommend you launch Compute instances with Shielded VM enabled to defend against advanced threats, and ensure that the boot loader and firmware on your VMs are signed and untampered. Shielded VM instances run firmware signed and verified using Google's Certificate Authority, ensuring the instance's firmware is unmodified and the root of trust for Secure Boot is established.

Secure Boot is a virtual trusted platform module (vTPM)-enabled Measured Boot. It helps ensure that the system only runs authentic software by verifying the digital signature of all boot components and halting the boot process if signature verification fails.

Integrity monitoring helps you understand and make decisions about the state of your VM instances. The Shielded VM vTPM enables Measured Boot by performing the measurements needed to create the integrity policy baseline used for comparison with measurements from subsequent VM boots to determine any changes.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. Select the instance name to view the VM instance details page.
  4. Stop the instance, by clicking STOP.
  5. When the instance has stopped, click EDIT.
  6. In the Shielded VM section, turn on both vTPM and Integrity Monitoring.
  7. Optionally, if you do not use any custom or unsigned drivers on the instance, turn on Secure Boot.
  8. To modify the instance, click SAVE.
  9. To restart the instance, click START.

CLI Command

You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images

  1. To stop the instance, use the following command:
    gcloud compute instances stop INSTANCE_NAME

  2. To update the instance, use the following command:
    gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vmintegrity-monitoring

  3. Optionally, if you do not use any custom or unsigned drivers on the instance, to turn on secure boot use the following command:
    gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot

  4. To restart the instance, use the following command:
    gcloud compute instances start INSTANCE_NAME

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Arguments:
    enable_integrity_monitoring - set to true by default, should not be overriden, i.e should not be set to false.
    enable_vtpm - set to true by default, should not be overriden, i.e should not be set to false.
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
+    shielded_instance_config {
-        enable_integrity_monitoring = false
-        enable_vtpm                 = false
        }
}