Control: 8.11 Ensure Trusted Launch is enabled on Virtual Machines
Description
When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.
Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.
Remediation
From Azure Portal
- Go to Virtual Machines.
- For each VM, under Settings, click on Configuration on the left blade.
- Under Security Type, select 'Trusted Launch Virtual Machines'.
- Make sure Enable Secure Boot & Enable vTPM are checked.
- Click on Apply.
Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs
Default Value
On Azure Generation 2 VMs, vTPM is enabled by default. Secure Boot is not enabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_8_11
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_8_11 --share
SQL
This control uses a named query:
manual_control