Unexpected GCP API calls indicating Compute Engine shielded VM config disabled
Description
AlphaSOC detected that shielded VM security features were disabled on a Google Cloud Compute Engine instance. Shielded VMs provide protection against rootkits and boot-level malware through features like Secure Boot, Virtual Trusted Platform Module (vTPM), and Integrity Monitoring. Disabling these features reduces the security posture of the instance.
Impact
Disabling shielded VM configuration exposes instances to firmware-level attacks, rootkits, and boot malware that would normally be blocked. Attackers may disable these protections to install persistent malware that survives reboots and evades detection. Without integrity monitoring, unauthorized changes to the boot sequence may go undetected.
Severity
| Severity | Condition |
|---|---|
Informational | Shielded VM config disabled |
Low | Shielded VM config disabled with anomalous behavioral patterns |
Medium | Shielded VM config disabled in suspicious context |
Investigation and Remediation
Review GCP audit logs for the compute.instances.updateShieldedInstanceConfig
action to identify who disabled the shielded VM features and which instance was
affected. Determine which specific features were disabled (Secure Boot, vTPM, or
Integrity Monitoring) and verify whether the change was authorized.
If unauthorized, immediately re-enable the shielded VM features on the affected instance. Investigate any changes made to the instance while protections were disabled. Review other instances in the project for similar modifications.