Check for Desired Machine Type(s)

Risk Level: High (not acceptable risk)

Determine if your Google Cloud virtual machine instances have the desired type(s) established by your organization based on the workload deployed. The desired instance type(s) must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

Security

A machine type is a set of virtualized hardware resources available to a virtual machine (VM) instance, including the system memory size, virtual CPU (vCPU) count, and persistent disk limits. In Google Cloud Platform (GCP), virtual machine types are grouped and curated by families for different workloads. You can choose from general-purpose, memory-optimized, and compute-optimized families. Setting limits for the type(s) of the virtual machine instances provisioned in your cloud account can help you to manage better your compute power, address internal compliance requirements and prevent unexpected charges on your Google Cloud bill.

Note: For VM instances, you can change the machine type without affecting the instance's persistent disk data (including installed applications and application data), SSH keys, or other instance configurations such as instance metadata. If your instance uses an ephemeral external IP address, there is a possibility that the IP address might change. To keep the IP address from changing, promote it to a static external IP address.

Audit

To determine if all your virtual machine instances have the desired type(s), perform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Desired Machine Type(s) conformity rule settings and identify the desired type(s) configured for VM instances.

02 Sign in to Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

05 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances created for the selected project.

06 Click on the name of the VM instance that you want to examine.

07 Select the Details tab to access the instance configuration details.

08 On the Details panel, check the type of the instance, listed as value for the Machine type attribute. If the virtual machine type is different than the one(s) allowed by your organization and identified at step no. 1, the selected Google Cloud virtual machine instance was not created using the desired type.

09 Repeat step no. 6 – 8 for each VM instance provisioned in the selected project.

10 Repeat steps no. 3 – 9 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check for Desired Machine Type(s) conformity rule settings and identify the desired type(s) configured for VM instances.

02 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
    --format="table(projectId)"

03 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

04 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each virtual machine (VM) instance created for the selected project:

gcloud compute instances list
    --project cc-web-stack-project-123123
    --format="table(name,zone)"

05 The command output should return the name(s) of the instance(s) available within the selected GCP project:

NAME                      ZONE
cc-backend-vm-instance    us-central1-a
cc-frontend-vm-instance   us-central1-a

06 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom output filtering to describe the type of the selected virtual machine instance:

gcloud compute instances describe cc-backend-vm-instance
    --zone us-central1-a
    --format="value(machineType)"

07 The command output should return the requested machine type. The VM type is returned in the URL format, i.e. https://www.googleapis.com/compute/v1/projects/<project-name>/zones/<zone-name>/machineTypes/<machine-type>, where <project-name> represents the name of the project that created the VM instance, <zone-name> is the Google Cloud zone where the instance was deployed, and <machine-type> is the type of the virtual machine:

https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/e2-standard-8

Compare the machine type returned by the compute instances describe command output with the one(s) allowed by your organization, identified at step no. 1. If the verified VM type is not listed in the conformity rule configuration settings, the selected Google Cloud virtual machine instance is not using the desired machine type.

08 Repeat step no. 6 and 7 for each virtual machine instance launched within the selected project.

09 Repeat steps no. 4 – 8 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To resize your existing Google Cloud virtual machine instances to the VM type established by your organization, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to resize (see Audit section part I to identify the right instance), and choose STOP from the dashboard top menu to stop the selected instance. Click STOP inside the confirmation box to confirm the action.

06 Once the selected resource is stopped, choose EDIT to enter the instance edit mode.

07 Under Machine configuration, choose the appropriate virtual machine family and generation, and select the desired virtual machine instance type allowed by your organization from the Machine type dropdown list. Click Save to apply the configuration changes.

08 Once the machine type is changed, click on the START / RESUME button from the dashboard top menu and restart the selected VM instance. Click START inside the confirmation box to confirm the action.

09 Repeat steps no. 5 – 8 to reconfigure other virtual machine instances with the desired type, available in the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances stop command (Windows/macOS/Linux) using the name of the virtual machine instance that you want to resize as identifier parameter, to stop the selected instance:

gcloud compute instances stop cc-backend-vm-instance
    --zone=us-central1-a

02 The output should return the compute instances stop command request status:

Stopping instance(s) cc-backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

03 Run compute instances set-machine-type command (Windows/macOS/Linux) to change the machine type for the selected Google Cloud virtual machine instance to the desired type allowed by your organization (e.g. c2-standard-4):

gcloud compute instances set-machine-type cc-backend-vm-instance
    --zone=us-central1-a
    --machine-type=c2-standard-4

04 The command output should return the full URL of the reconfigured virtual machine instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

05 Run compute instances start command (Windows/macOS/Linux) to restart the reconfigured virtual machine (VM) instance:

gcloud compute instances start cc-backend-vm-instance
    --zone=us-central1-a

06 The output should return the compute instances start command request status:

Starting instance(s) cc-backend-vm-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

07 Repeat steps no. 1 – 6 to reconfigure other virtual machine instances with the desired type, provisioned in the selected project.

08 Repeat steps no. 1 – 7 for each GCP project deployed within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Virtual machine instances
Machine types
Changing the machine type of an instance

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute instances stop
gcloud compute instances set-machine-type
gcloud compute instances start

Publication date May 10, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules