Cyscale
Back to controls

Ensure Compute instances are launched with Shielded VM enabled

To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.

Rationale

Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.

Shielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits. Shielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.

Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.

Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.

Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Remediation guidance

From Google Cloud Console

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances
  2. Click on each VM instance name to go to its details page
  3. Click STOP and then click EDIT
  4. Under the section Shielded VM, select Turn on vTPM and Turn on Integrity Monitoring
  5. Optionally, if you do not use any custom or unsigned drivers on the instance, also select Turn on Secure Boot
  6. Click Save and then click START

Using Google Cloud CLI

  1. Stop the instance:
gcloud compute instances stop <instanceName>
  1. Update the instance:
gcloud compute instances update <instanceName> --shielded-vtpm --shieldedvm-integrity-monitoring
  1. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.
gcloud compute instances update <instanceName> --shielded-vm-secure-boot
  1. Restart the instance:
gcloud compute instances start <instanceName>

Prevention

You can ensure that all new VMs will be created with Shielded VM enabled by setting up an Organization Policy to for Shielded VM at https://console.cloud.google.com/iamadmin/orgpolicies/compute-requireShieldedVm. Learn more at: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policyconstraint.

Default Value

By default, Compute Instances do not have Shielded VM enabled.

References

  1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm
  2. https://cloud.google.com/shielded-vm
  3. https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint

Additional information

If you do use custom or unsigned drivers on the instance, enabling Secure Boot will cause the machine to no longer boot. Turn on Secure Boot only on instances that have been verified to not have any custom drivers installed.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

GCP VMs with security features disabled

Connectors

Google Cloud

Covered asset types

VM

Expected check: eq []

{
  vms(
    where: {
      OR: [
        { shieldedInstanceConfigEnableVtpm: false }
        { shieldedInstanceConfigEnableSecureBoot: false }
        { shieldedInstanceConfigEnableIntegrityMonitoring: false }
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon