Shielded VM Disabled
- Query id: 9038b526-4c19-4928-bca2-c03d503bdb79
- Query name: Shielded VM Disabled
- Platform: GoogleDeploymentManager
- Severity: Medium
- Category: Insecure Configurations
- CWE: 1188
- URL: Github
Description¶
Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
resources:
- name: vm-template
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
networkInterfaces:
- network: global/networks/default
canIpForward: false
Positive test num. 2 - yaml file
resources:
- name: vm-template2
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
networkInterfaces:
- network: global/networks/default
canIpForward: false
shieldedInstanceConfig:
enableSecureBoot: false
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
resources:
- name: vm-templatee
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
networkInterfaces:
- network: global/networks/default
canIpForward: false
shieldedInstanceConfig:
enableSecureBoot: true
enableVtpm: true
enableIntegrityMonitoring: true