Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Approved Virtual Machine Image in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that all the Google Cloud virtual machine instances necessary for your application stack are launched from an approved machine image, known as golden machine image, in order to enforce security best practices, consistency, and save time when scaling your cloud application. The approved machine image must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

A machine image is a Compute Engine resource that stores all the configuration, metadata, permissions, and data from one or more disks required to create a virtual machine (VM) instance. An approved machine image is a custom virtual machine image that contains a pre-configured OS and a well-defined stack of server software, fully configured to run your application. Using approved (golden) machine images to launch new VM instances within your Google Cloud Platform (GCP) project brings major benefits such as fast and stable application deployment and scaling, secure application stack upgrades, and versioning.

Audit

To determine if your Google Cloud virtual machine instances are being launched from an approved image only, perform the following actions:

Note: Getting the machine image details for VM instances using Google Cloud Platform (GCP) Command Line Interface (CLI) is not currently supported.

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved Virtual Machine Image in Use conformity rule settings and identify the approved (golden) machine image defined for your Google Cloud projects.

02 Sign in to Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

05 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances created for the selected project.

06 Click on the name of the virtual machine instance that you want to examine.

07 Select the Details tab to access the configuration details available for selected instance.

08 In the Boot disk section, check the name of the machine image used to create the selected virtual machine, available in the Image column. If the name of the machine image is different than the name of the approved image identified at step no. 1, the selected Google Cloud virtual machine instance was deployed without using an approved (golden) machine image.

09 Repeat step no. 6 – 8 for each VM instance provisioned for the selected GCP project.

10 Repeat steps no. 3 – 9 for each project deployed in your Google Cloud account.

Remediation / Resolution

To meet security and compliance requirements within your organization and deploy Google Cloud virtual machine instances from approved machine images only, re-create the required VM instances using the approved (golden) machine image by perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access all the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the instance that you want to re-create using the approved machine image (see Audit section to identify the right resource).

06 Select the Details tab and collect all the necessary configuration details and metadata available for selected VM instance.

07 In the navigation panel, select Machine images to access the list with all the machine images available for the selected project.

08 Choose the approved (golden) machine image created for the selected GCP project, then click on the 3-dot button available in the Actions column and select Create instance to initiate the VM instance launch process.

09 On the Create an instance page, perform the following actions:

  1. Provide a unique name for the new virtual machine instance in the Name box.
  2. Make sure that all the instance settings are configured based on the information taken at step no. 6.
  3. Click Create to launch your new, approved virtual machine instance.

10 Migrate the necessary application data from the source (non-approved) virtual machine instance to the destination (approved) VM instance.

11 To avoid extra charges on your Google Cloud bill, you can remove the source (non-approved) instance from your GCP project. To remove the required instance, perform the following:

  1. In the navigation panel, select VM instances.
  2. Choose the VM instance that you want to remove, then click the 3-dot button for instance menu options and select Delete to initiate the removal process.
  3. Within the Delete an instance confirmation box, select DELETE to confirm the action and remove the selected instance from your project.

12 Repeat steps no. 5 – 11 to re-create other virtual machine instances with the approved application stack, available in the selected GCP project.

13 Repeat steps no. 2 – 12 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances create command (Windows/macOS/Linux) using the name of the approved (golden) machine image as value for the --source-machine-image parameter, to create a new virtual machine (VM) instance with the approved application stack, in the appropriate Google Cloud zone (location): 

gcloud beta compute instances create cc-frontend-golden-instance
    --zone us-central1-a
    --source-machine-image cc-project5-golden-image

02 The command output should return the metadata available for the new, approved VM instance: 

Created [https://www.googleapis.com/compute/beta/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-golden-instance].

NAME                         ZONE           MACHINE_TYPE   INTERNAL_IP  STATUS
cc-frontend-golden-instance  us-central1-a  n1-standard-8  10.128.0.45  RUNNING

03 Migrate the necessary application data from the source (non-approved) virtual machine instance to the destination (approved) VM instance.

04 To avoid extra charges on your Google Cloud bill, you can remove the source (non-approved) instance from your GCP project. To delete the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the instance that you want to delete as identifier parameter, to remove the selected VM resource from your project: 

gcloud compute instances delete cc-frontend-vm-instance
    --zone us-central1-a

05 Press Y at the command prompt to confirm the Google Cloud resource removal: 

The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.
 - [cc-frontend-vm-instance] in [us-central1-a]
Do you want to continue (Y/n)?

06 The command output should return the URL of the deleted virtual machine (VM) instance: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

07 Repeat steps no. 1 – 6 to re-create other virtual machine instances with the approved application stack, available in the selected GCP project.

08 Repeat steps no. 1 – 7 for each GCP project deployed within your Google Cloud account.

References

Publication date May 10, 2021

Related ComputeEngine rules