Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "Shielded VM" Security Feature

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ComputeEngine-005

Ensure that your Google Compute Engine instances are configured to use Shielded VM security feature for protection against rootkits and bootkits.Google Compute Engine service can enable 3 advanced security components for Shielded VM instances:

Virtual Trusted Platform Module (vTPM) - this component validates the guest virtual machine (VM) pre-boot and boot integrity, and provides key generation and protection.

Integrity Monitoring - lets you monitor and verify the runtime boot integrity of your shielded VM instances using Google Cloud Operations reports (also known as Stackdriver reports).

Secure boot helps - this security component protects your VM instances against boot-level and kernel-level malware and rootkits.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Enable Shielded VM security feature to help protect production workloads from cybersecurity threats like remote attacks, privilege escalation, and malicious actors. Shielded virtual machines (VMs) leverage advanced platform security capabilities such as secure and measured boot, a Virtual Trusted Platform Module (vTPM), UEFI firmware, and integrity monitoring. To defend against advanced threats and ensure that the boot loader and firmware on your Google Compute Engine instances are signed and untampered, it is strongly recommended that your production instances are launched with Shielded VM enabled.

Audit

To determine if your virtual machine (VM) instances are protected by Shielded VM feature, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances launched for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details.

07 On the Details panel, under Shielded VM, check Turn on vTPM and Turn on Integrity Monitoring settings status. If both Turn on vTPM and Turn on Integrity Monitoring settings are disabled, the selected Google Compute Engine instance is not fully protected by the Shielded VM security feature.

08 Repeat step no. 5 – 7 for each virtual machine instance created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-production-instance    us-central1-a
cc-backend-vm-instance    us-central1-a
cc-frontend-vm-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the Shielded VM components status, available for the selected VM instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="json(shieldedInstanceConfig.enableVtpm,shieldedInstanceConfig.enableIntegrityMonitoring)"

06 The command output should return the configuration status for Virtual Trusted Platform Module (vTPM) and Integrity Monitoring components: 

{
  "shieldedInstanceConfig": {
    "enableIntegrityMonitoring": false,
    "enableVtpm": false
  }
}

If the compute instances describe command output returns null, the Shielded VM feature was not enabled for the selected instance. If the command output returns false for both "enableIntegrityMonitoring" and "enableVtpm" configuration properties, as shown in the example above, the selected Google Compute Engine instance is not fully protected by the Shielded VM security feature.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned in the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure Shielded VM security feature in order to protect your Google Cloud VM instances against advanced security threats, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Select the virtual machine (VM) instance that you want to reconfigure.

06 Click on the STOP button from the dashboard top menu to stop the selected instance. Click STOP inside the confirmation box to confirm the action.

07 Once the VM instance is stopped, click on the instance name to access the resource configuration page, then click EDIT to enter the edit mode.

08 Under Shielded VM, turn on the following components to enable Shielded VM protection:

  1. Select Turn on vTPM checkbox to enable the Virtual Trusted Platform Module (vTPM) component.
  2. Select Turn on Integrity Monitoring checkbox to enable the Integrity Monitoring.
  3. (Optional) If there are no custom or unsigned drivers installed on the selected instance, select Turn on Secure Boot checkbox to enable Secure Boot component. If you use custom or unsigned drivers on the selected instance, enabling Secure Boot component will cause the virtual machine (VM) to no longer boot.

09 Click Save to apply the configuration changes.

10 Click on the START button from the dashboard top menu to restart the reconfigured Google Cloud VM instance. Click START inside the confirmation box to confirm the action.

11 Repeat steps no. 5 – 10 to enable Shielded VM protection for other virtual machine instances created within the selected project.

12 Repeat steps no. 2 – 11 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances stop command (Windows/macOS/Linux) using the name of the instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to stop the selected Google Cloud VM instance: 

gcloud compute instances stop cc-production-instance
	--zone=us-central1-a

02 The command output should return the compute instances stop request status: 

Stopping instance(s) cc-production-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

03 Run compute instances update command (Windows/macOS/Linux) using the name of the instance that you want to reconfigure as identifier parameter, to turn on Virtual Trusted Platform Module (vTPM) and Integrity Monitoring components in order to enable Shielded VM protection for the selected VM instance. Optionally, if there are no custom or unsigned drivers installed on the selected instance, include the --shielded-secure-boot in the command request to enable Secure Boot: 

gcloud compute instances update cc-production-instance
	--zone us-central1-a
	--shielded-vtpm
	--shielded-integrity-monitoring

04 The command output should return the compute instances update request status: 

Setting shieldedInstanceConfig of instance [cc-production-instance]...done.

05 Run compute instances start command (Windows/macOS/Linux) to restart the reconfigured Google Compute Engine instance: 

gcloud compute instances start cc-production-instance
	--zone=us-central1-a

06 The command output should return the compute instances start request status: 

Starting instance(s) cc-production-instance...done.
Updated [https://compute.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

07 Repeat steps no. 1 – 6 to enable Shielded VM protection for other virtual machine instances available in the selected project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 12, 2021

Related ComputeEngine rules