Shielded VM Disabled
- Query id: 1b44e234-3d73-41a8-9954-0b154135280e
- Query name: Shielded VM Disabled
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- CWE: 732
- URL: Github
Description¶
Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
data "google_compute_instance" "appserver1" {
name = "primary-application-server"
zone = "us-central1-a"
}
data "google_compute_instance" "appserver2" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = true
}
}
data "google_compute_instance" "appserver3" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = true
enable_integrity_monitoring = true
}
}
data "google_compute_instance" "appserver4" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_vtpm = true
enable_integrity_monitoring = true
}
}
data "google_compute_instance" "appserver5" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = false
enable_vtpm = true
enable_integrity_monitoring = true
}
}
data "google_compute_instance" "appserver6" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = false
enable_integrity_monitoring = true
}
}
data "google_compute_instance" "appserver7" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = true
enable_integrity_monitoring = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
data "google_compute_instance" "appserver" {
name = "primary-application-server"
zone = "us-central1-a"
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = true
enable_integrity_monitoring = true
}
}