turbot/azure_compliance

Control: 8.11 Ensure Trusted Launch is enabled on Virtual Machines

Description

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.

Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.

Remediation

From Azure Portal

  1. Go to Virtual Machines.
  2. For each VM, under Settings, click on Configuration on the left blade.
  3. Under Security Type, select 'Trusted Launch Virtual Machines'.
  4. Make sure Enable Secure Boot & Enable vTPM are checked.
  5. Click on Apply.

Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs

Default Value

On Azure Generation 2 VMs, vTPM is enabled by default. Secure Boot is not enabled by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_8_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_8_11 --share

SQL

This control uses a named query:

manual_control

Tags