Triage and Remediation
Remediation
Using Console
Using Console
To remediate the “Shielded VM Should Be Enabled For Compute Instances” misconfiguration for GCP using GCP console, please follow the below steps:
- Login to the GCP Console using your credentials.
- Go to the GCP Compute Engine page by clicking on the Navigation menu and selecting “Compute Engine” under the “Compute” section.
- Select the instance for which you want to enable Shielded VM.
- Click on the “Edit” button at the top of the page.
- Under the “Security” section, select “Enable Shielded VM”.
- Click on the “Save” button at the bottom of the page to enable Shielded VM for the selected instance.
Using CLI
Using CLI
To remediate the “Shielded VM Should Be Enabled For Compute Instances” misconfiguration in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP Console.
-
Run the following command to check the current status of shielded VM for all instances in your project:
gcloud compute instances list --format="table(name, shielded-vm-integrity-enabled)"This will list all the compute instances in your project along with their shielded VM integrity status. - Identify the instances which have “false” in the “shielded-vm-integrity-enabled” column. These are the instances that need to be remediated.
-
Run the following command to enable shielded VM for the identified instances:
gcloud compute instances update INSTANCE_NAME --shielded-vm-integrity-enabledReplace INSTANCE_NAME with the name of the instance that needs to be remediated. - Repeat step 4 for all the instances that need to be remediated.
-
Run the following command to verify that shielded VM is enabled for all instances:
gcloud compute instances list --format="table(name, shielded-vm-integrity-enabled)"This will list all the compute instances in your project along with their shielded VM integrity status. All instances should now have “true” in the “shielded-vm-integrity-enabled” column. - Once you have verified that all instances have shielded VM enabled, you have successfully remediated the misconfiguration.
Using Python
Using Python
To remediate the misconfiguration of Shielded VM not being enabled for Compute Instances in GCP, you can use the following Python script:This script uses the Google Cloud Python Client Library to enable Shielded VM for a specific Compute Instance in GCP. It first checks if the instance already has a Shielded Instance Config, and if not, creates one. It then sets the enableSecureBoot, enableVtpm, and enableIntegrityMonitoring properties to True and sends a request to update the instance with the new configuration.To use this script, replace “your-project-id”, “your-zone”, and “your-instance-name” with the appropriate values for your GCP project and instance. Then run the script in a Python environment with the Google Cloud Python Client Library installed.