Profile Applicability:
Level 2
Description:
Shielded VM is a hardened virtual machine configuration on Google Cloud that defends against rootkits and bootkits. It ensures the integrity of the bootloader, firmware, and operating system through Secure Boot, vTPM (virtual Trusted Platform Module)-enabled Measured Boot, and integrity monitoring. These features protect Compute Engine instances against tampering and provide verifiable instance integrity.
Rationale:
Enabling Shielded VM ensures that:
The boot process only runs authentic software.
The system’s firmware and bootloader are verified using Google's Certificate Authority.
An integrity baseline is established and monitored to detect any unauthorized changes.
This reduces the risk of root-level malware and boot-level exploits, ensuring the security of the instance against advanced threats.
Impact:
Instances must use images that support Shielded VM. Instances with custom or unsigned drivers may encounter boot issues if Secure Boot is enabled. Users should verify compatibility before enabling Secure Boot.
Default Value:
Compute instances are not configured with a Shielded VM by default.
Audit Steps:
Using Google Cloud Console:
Navigate to Compute Engine > VM Instances: https://console.cloud.google.com/compute/instances.
Select the instance name to open its details page.
Verify the Shielded VM section to ensure that:
vTPM is enabled.
Integrity Monitoring is enabled.
Using Google Cloud CLI:
List instances and check their Shielded VM settings:
gcloud compute instances list --format=json | jq -r '. | "vTPM: \(.[].shieldedInstanceConfig.enableVtpm) IntegrityMonitoring: \(.[].shieldedInstanceConfig.enableIntegrityMonitoring) Name: \(.[].name)"'
Confirm the shieldedInstanceConfig section includes enableIntegrityMonitoring and enableVtpm set to true.
Remediation Steps:
Using Google Cloud Console:
Navigate to Compute Engine > VM Instances: https://console.cloud.google.com/compute/instances.
Select the instance name and click STOP to halt the instance
Click EDIT and under the Shielded VM section:
Enable Turn on vTPM.
Enable Turn on Integrity Monitoring.
Optionally, enable Turn on Secure Boot if no custom or unsigned drivers are used.
Save the changes and restart the instance.
Using Google Cloud CLI:
Stop the instance:
gcloud compute instances stop <INSTANCE_NAME>
Update the instance to enable Shielded VM option:
gcloud compute instances update <INSTANCE_NAME> --shielded-vtpm --shielded-vm-integrity-monitoring
Optionally, enable Secure Boot:
gcloud compute instances update <INSTANCE_NAME> --shielded-vm-secure-boot
Restart the instance:
gcloud compute instances start <INSTANCE_NAME>
Prevention:
To enforce Shielded VM for all new instances, configure an Organization Policy:
Set up Shielded VM Policy.
References:
Additional Information:
Enabling Secure Boot may cause boot failures if custom or unsigned drivers are installed. Verify driver compatibility beforehand.
Shielded VM functionality requires an image with Shielded VM support. To list such images:
gcloud compute images list --project gce-uefi-images --no-standard-images
CIS Controls: