lacework-global-305
4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled (Automated)
Profile Applicability
• Level 2
Description
To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.
Rationale
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.
Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.
Audit
From Console:
Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances.Click on the instance name to see its
VM instance detailspage.Under the section
Shielded VM, ensure thatvTPMandIntegrity Monitoringareon.
From Command Line:
- For each instance in your project, get its metadata:
gcloud compute instances list --format=json | jq -r '. | "vTPM: \(.[].shieldedInstanceConfig.enableVtpm) IntegrityMonitoring: \(.[].shieldedInstanceConfig.enableIntegrityMonitoring) Name: \(.[].name)"'
- Ensure that there is a
shieldedInstanceConfigconfiguration and that configuration has theenableIntegrityMonitoringandenableVtpmset totrue. If the VM is not a Shield VM image, you will not see a shieldedInstanceConfig` in the output.
Remediation
To be able turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.
From Console:
Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances.Click on the instance name to see its
VM instance detailspage.Click
STOPto stop the instance.When the instance has stopped, click
EDIT.In the Shielded VM section, select
Turn on vTPMandTurn on Integrity Monitoring.Optionally, if you do not use any custom or unsigned drivers on the instance, also select
Turn on Secure Boot.Click the
Savebutton to modify the instance and then clickSTARTto restart it.
From Command Line:
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
- Stop the instance:
gcloud compute instances stop <INSTANCE_NAME>
- Update the instance:
gcloud compute instances update <INSTANCE_NAME> --shielded-vtpm --shielded-vm-integrity-monitoring
- Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update <INSTANCE_NAME> --shielded-vm-secure-boot
- Restart the instance:
gcloud compute instances start <INSTANCE_NAME>
Prevention:
You can ensure that all new VMs will be created with Shielded VM enabled by setting up an Organization Policy to for Shielded VM at https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm. Learn more at:
https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint.
References
https://cloud.google.com/compute/docs/instances/modifying-shielded-vm
https://cloud.google.com/shielded-vm
https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint
Additional Information
If you do use custom or unsigned drivers on the instance, enabling Secure Boot will cause the machine to no longer boot. Turn on Secure Boot only on instances that have been verified to not have any custom drivers installed.