Shielded VM is disabled Affecting Compute Engine service in Google

Severity Framework Snyk CCSS

Rule category Operating System / Hardening

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM HIPAA

Snyk ID SNYK-CC-00383
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Compute Engine Shielded VM instances enables several security features to ensure that instances haven't been compromised by boot or kernel-level malware or rootkits. This is achieved through use of Secure Boot, vTPM-enabled Measured Boot, and integrity monitoring.

How to fix?

Set shielded_instance_config.enable_integrity_monitoring, shielded_instance_config.enable_secure_boot, and shielded_instance_config.enable_vtpm attributes to true.

Example Configuration

resource "google_compute_instance" "test2" {
  name         = "shielded-vm2"
  machine_type = "e2-micro"
  zone         = "us-east1-b"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"
  }

  shielded_instance_config {
    enable_secure_boot = true
    enable_vtpm = true
    enable_integrity_monitoring = true
  }
}

Terraform

Resource: google_compute_instance

Shielded VM is disabled Affecting Compute Engine service in Google

Description

How to fix?

Example Configuration

Terraform

References