Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
GCP Terraform Misconfiguration: Compute Engine Shielded VM Option Disabled
Abstract
A Terraform configuration sets up a Compute Engine instance without enabling all recommended Shield VM options.
Explanation
Every cloud service security feature has a unique ability to prevent or mitigate a known threat. Any feature disabled by intent or mistake offers no protection.
Disabling any Shield VM option allows an attacker to bypass implemented security restrictions for a guest operating system on a Compute Engine instance. Recommended Shield VM options (and their corresponding Terraform configuration identifiers) are as follows:
- Integrity Monitoring (enable_integrity_monitoring)
- Secure Boot (enable_secure_boot)
- Virtual Trusted Platform Module (enable_vtpm)
Example 1: The following Terraform configuration sets
Disabling any Shield VM option allows an attacker to bypass implemented security restrictions for a guest operating system on a Compute Engine instance. Recommended Shield VM options (and their corresponding Terraform configuration identifiers) are as follows:
- Integrity Monitoring (enable_integrity_monitoring)
- Secure Boot (enable_secure_boot)
- Virtual Trusted Platform Module (enable_vtpm)
Example 1: The following Terraform configuration sets
enable_integrity_monitoring to false in the shielded_instance_config block. Not all recommended Shield VM options are enabled.
resource "google_compute_instance" "compute_instance_demo" {
...
shielded_instance_config {
enable_integrity_monitoring = false
enable_secure_boot = true
enable_vtpm = true
}
...
}
References
[1] HashiCorp google_compute_instance
[2] Google Cloud Modifying Shielded VM options on a VM instance
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 4.8
[4] Standards Mapping - Common Weakness Enumeration CWE ID 693, CWE ID 922
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000803, CCI-001749, CCI-002235
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1), IA-7 Cryptographic Module Authentication (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-6 Configuration Settings, CM-14 Signed Components, IA-7 Cryptographic Module Authentication
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.6.2 Cryptographic Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[12] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[13] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2, Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.3.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.3.3
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective 10.2 - Threat and Vulnerability Management
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-001430 CAT II, APSC-DV-001860 CAT I
desc.structural.hcl.gcp_terraform_misconfiguration_compute_engine_shielded_vm_option_disabled