GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Shielded VM Should Be Enabled For Compute Instances
More Info:
Ensure Compute instances are launched with Shielded VM enabled.
Risk Level
High
Address
Security, Reliability
Compliance Standards
CISGCP, CBP, SOC2, NISTCSF
Triage and Remediation
Remediation
To remediate the “Shielded VM Should Be Enabled For Compute Instances” misconfiguration for GCP using GCP console, please follow the below steps:
- Login to the GCP Console using your credentials.
- Go to the GCP Compute Engine page by clicking on the Navigation menu and selecting “Compute Engine” under the “Compute” section.
- Select the instance for which you want to enable Shielded VM.
- Click on the “Edit” button at the top of the page.
- Under the “Security” section, select “Enable Shielded VM”.
- Click on the “Save” button at the bottom of the page to enable Shielded VM for the selected instance.
Once you have completed these steps, Shielded VM will be enabled for the selected instance. Repeat the above steps for all instances that are not configured with Shielded VM to remediate this misconfiguration.
To remediate the “Shielded VM Should Be Enabled For Compute Instances” misconfiguration in GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to check the current status of shielded VM for all instances in your project:
gcloud compute instances list --format="table(name, shielded-vm-integrity-enabled)"This will list all the compute instances in your project along with their shielded VM integrity status.
-
Identify the instances which have “false” in the “shielded-vm-integrity-enabled” column. These are the instances that need to be remediated.
-
Run the following command to enable shielded VM for the identified instances:
gcloud compute instances update INSTANCE_NAME --shielded-vm-integrity-enabledReplace INSTANCE_NAME with the name of the instance that needs to be remediated.
-
Repeat step 4 for all the instances that need to be remediated.
-
Run the following command to verify that shielded VM is enabled for all instances:
gcloud compute instances list --format="table(name, shielded-vm-integrity-enabled)"This will list all the compute instances in your project along with their shielded VM integrity status. All instances should now have “true” in the “shielded-vm-integrity-enabled” column.
-
Once you have verified that all instances have shielded VM enabled, you have successfully remediated the misconfiguration.
To remediate the misconfiguration of Shielded VM not being enabled for Compute Instances in GCP, you can use the following Python script:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
compute = discovery.build('compute', 'v1', credentials=credentials)
project = 'your-project-id'
zone = 'your-zone'
def enable_shielded_vm(compute, project, zone, instance_name):
instance = compute.instances().get(project=project, zone=zone, instance=instance_name).execute()
if 'shieldedInstanceConfig' not in instance:
instance['shieldedInstanceConfig'] = {}
instance['shieldedInstanceConfig']['enableSecureBoot'] = True
instance['shieldedInstanceConfig']['enableVtpm'] = True
instance['shieldedInstanceConfig']['enableIntegrityMonitoring'] = True
request = compute.instances().update(project=project, zone=zone, instance=instance_name, body=instance)
response = request.execute()
return response
instance_name = 'your-instance-name'
response = enable_shielded_vm(compute, project, zone, instance_name)
print(response)
This script uses the Google Cloud Python Client Library to enable Shielded VM for a specific Compute Instance in GCP. It first checks if the instance already has a Shielded Instance Config, and if not, creates one. It then sets the enableSecureBoot, enableVtpm, and enableIntegrityMonitoring properties to True and sends a request to update the instance with the new configuration.
To use this script, replace “your-project-id”, “your-zone”, and “your-instance-name” with the appropriate values for your GCP project and instance. Then run the script in a Python environment with the Google Cloud Python Client Library installed.