Severity

0.0
low
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Operating System / Hardening

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CIS-Google CSA-CCM HIPAA
  • Snyk ID SNYK-CC-00383
  • credit Snyk Research Team

Description

Compute Engine Shielded VM instances enables several security features to ensure that instances haven't been compromised by boot or kernel-level malware or rootkits. This is achieved through use of Secure Boot, vTPM-enabled Measured Boot, and integrity monitoring.

How to fix?

Set shielded_instance_config.enable_integrity_monitoring, shielded_instance_config.enable_secure_boot, and shielded_instance_config.enable_vtpm attributes to true.

Example Configuration

resource "google_compute_instance" "test2" {
  name         = "shielded-vm2"
  machine_type = "e2-micro"
  zone         = "us-east1-b"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"
  }

  shielded_instance_config {
    enable_secure_boot = true
    enable_vtpm = true
    enable_integrity_monitoring = true
  }
}