Shielded VM Disabled

  • Query id: 9038b526-4c19-4928-bca2-c03d503bdb79
  • Query name: Shielded VM Disabled
  • Platform: GoogleDeploymentManager
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
resources:
- name: vm-template
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
    canIpForward: false
Positive test num. 2 - yaml file
resources:
- name: vm-template2
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
    canIpForward: false
    shieldedInstanceConfig:
      enableSecureBoot: false

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
resources:
- name: vm-templatee
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
    canIpForward: false
    shieldedInstanceConfig:
      enableSecureBoot: true
      enableVtpm: true
      enableIntegrityMonitoring: true