Disable Auto-Delete for VM Instance Persistent Disks

Risk Level: Medium (should be achieved)

Ensure that the Auto-Delete behavior rule is disabled for the persistent disks attached to your Google Cloud virtual machine (VM) instances in order to protect the VM data from being deleted and meet security and compliance requirements.

Security

By default, the Auto-Delete rule is enabled for zonal persistent disks during virtual machine creation. When Auto-Delete is on, the persistent disks are deleted when the associated VM instance is deleted. However, for mission-critical Google Cloud VM instances and cloud environments where compliance and security requirements are more rigorous, you may need to retain the persistent disks after the instance termination. When Auto-Delete behavior rule is disabled, the zonal persistent disks attached to your VM instance are no longer removed when the instance is deleted.

Audit

To determine if the Auto-Delete behavior feature is disabled for the disks attached to your Compute Engine instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to view the configuration details available for selected instance.

07 In the Boot disk and Additional disks sections, check the Auto-Delete behavior configuration, available within When deleting instance column for each disk attached to the instance. If one or more disks selected for inspection have the Auto-Delete behavior set to Delete disk, the Auto-Delete rule is enabled, therefore those persistent disks are deleted together with the selected instance.

08 Repeat steps no. 5 – 7 for each virtual machine instance created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-ad-platfom-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-production-instance    us-central1-a
cc-development-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the virtual machine (VM) instance that you want to examine as identifier parameter and custom filtering to list the name and the Auto-Delete behavior status for each disk (boot or non-boot) attached to the selected instance:

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="table(disks.deviceName,disks.autoDelete)"

06 The command output should return the requested instance disk information:

DEVICE_NAME                                              AUTO_DELETE
['cc-production-boot-disk', 'cc-production-data-disk']   [True, True]

If the compute instances describe command output returns True for one or more disks attached to the selected VM instance, as shown in the example above, the Auto-Delete behavior rule is enabled, therefore those persistent disks are deleted together with the instance.

07 Repeat step no. 5 and 6 for each virtual machine instance launched within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To disable the Auto-Delete behavior rule for the zonal persistent disks attached to your mission-critical Google Cloud VM instances, perform the following operations:

Note: You can only configure the auto-delete state of an instance persistent disk if it is attached in read/write mode.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure.

06 On the selected resource configuration page, click EDIT to enter the instance edit mode.

07 In the Boot disk section, select Keep disk from When deleting instance dropdown list, to disable the Auto-Delete behavior rule and keep the boot disk when the VM instance is terminated.

08 In the Additional disks section, if the selected instance has additional disks attached, click on the disk box header, select Keep disk under Deletion rule, and click Done to close the configuration box. Repeat this step to disable the Auto-Delete behavior for all the required data disks attached.

09 Click Save to apply the configuration changes.

10 If required, repeat steps no. 5 – 9 to disable the persistent disk auto-delete behavior for other virtual machine (VM) instances provisioned in the selected project.

11 Repeat steps no. 2 – 10 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances set-disk-auto-delete command (Windows/macOS/Linux) using the name of the VM instance that you want to update as identifier parameter and the name of the attached disk that you want to reconfigure as value for the --disk parameter, to disable the Auto-Delete behavior rule for the selected instance persistent disk:

gcloud compute instances set-disk-auto-delete cc-production-instance
	--zone us-central1-a
	--no-auto-delete
	--disk cc-production-boot-disk

02 If successful, the command output should return the compute instances set-disk-auto-delete request status:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

03 If required, repeat step no. 1 and 2 to disable the persistent disk auto-delete behavior for other virtual machine (VM) instances deployed within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project available in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Virtual machine instances
Deleting an Instance
Adding or resizing zonal persistent disks

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute instances set-disk-auto-delete

Publication date Apr 21, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules