Compute instance Shielded VM should be enabled¶
Description¶
Compute Engine Shielded VM instances enables several security features to ensure that instances haven’t been compromised by boot or kernel-level malway or rootkits. This is achieved through use of Secure Boot, vTPM-enabled Measured Boot, and integrity monitoring.
Remediation Steps¶
To turn on Shielded VM
for a Compute Engine instance, the instance must use an image with Shielded VM
support.
Google Cloud Console¶
Navigate to VM instances.
Click on the instance name to go to the VM instance details page.
Click STOP if the instance is running, and then click EDIT.
In the Shielded VM section, select Turn on vTPM and Turn on Integrity Monitoring.
Optionally, if the instance does not use any custom or unsigned drivers, also select Turn on Secure Boot.
Click Save and then click START.
gcloud CLI¶
For a list of Shielded VM public images:
gcloud compute images list --project gce-uefi-images --no-standard-images
Stop the Compute Engine instance:
gcloud compute instances stop INSTANCE_NAME
Turn on vTPM and Integrity Monitoring:
gcloud compute instances update INSTANCE_NAME --shielded-vtpm --shielded-vm- integrity-monitoring
Optionally, if the instance does not use any custom or unsigned drivers, turn on secure boot:
gcloud compute instances update INSTANCE_NAME --shielded-vm-secure-boot
Restart the instance:
gcloud compute instances start INSTANCE_NAME