Compute instances must be launched with Shielded VM enabled

ID

gcp_shielded_vm_disabled

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

The shielded_instance_config parameters are used to enable or disable the Shielded VM features on a Google Cloud compute instance. Shielded VMs are virtual machines that offer security features such as UEFI-compliant firmware, Secure Boot, vTPM-protected Measured Boot, and integrity monitoring. These features help defend against rootkits and bootkits that can compromise VM instances.

To fix it, the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true.

Learn more about this topic at What is Shelded VM?.

Examples

---
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object7
    machine_type: n1-standard-1
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    labels:
      environment: production
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    shielded_instance_config:
      enable_integrity_monitoring: no
      enable_secure_boot: no
      enable_vtpm: no

Mitigation / Fix

---
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: instance-1
    machine_type: n1-standard-1
    disks:
    - auto_delete: 'true'
      boot: 'true'
      source: '{{ disk }}'
    - auto_delete: 'true'
      interface: NVME
      type: SCRATCH
      initialize_params:
        disk_type: local-ssd
    metadata:
      env: production
    labels:
      environment: production
    network_interfaces:
    - network: '{{ network }}'
      access_configs:
      - name: External NAT
        nat_ip: '{{ address }}'
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    shielded_instance_config:
      enable_integrity_monitoring: yes
      enable_secure_boot: yes
      enable_vtpm: yes