Compute instance Shielded VM should be enabled

Description

Compute Engine Shielded VM instances enables several security features to ensure that instances haven’t been compromised by boot or kernel-level malway or rootkits. This is achieved through use of Secure Boot, vTPM-enabled Measured Boot, and integrity monitoring.

Remediation Steps

To turn on Shielded VM for a Compute Engine instance, the instance must use an image with Shielded VM support.

Google Cloud Console

  • Navigate to VM instances.

  • Click on the instance name to go to the VM instance details page.

  • Click STOP if the instance is running, and then click EDIT.

  • In the Shielded VM section, select Turn on vTPM and Turn on Integrity Monitoring.

  • Optionally, if the instance does not use any custom or unsigned drivers, also select Turn on Secure Boot.

  • Click Save and then click START.

gcloud CLI

  • For a list of Shielded VM public images:

    • gcloud compute images list --project gce-uefi-images --no-standard-images

  • Stop the Compute Engine instance:

    • gcloud compute instances stop INSTANCE_NAME

  • Turn on vTPM and Integrity Monitoring:

    • gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vm- integrity-monitoring

  • Optionally, if the instance does not use any custom or unsigned drivers, turn on secure boot:

    • gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot

  • Restart the instance:

    • gcloud compute instances start INSTANCE_NAME