Control: Ensure Trusted Launch is enabled on Virtual Machines
Description
When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.compute_vm_trust_launch_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.compute_vm_trust_launch_enabled --share
SQL
This control uses a named query:
select vm.id as resource, case when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then 'skip' when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then 'ok' else 'alarm' end as status, case when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then vm.name || ' not using trust launch security type.' when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then vm.name || ' trusted launch enabled.' else vm.name || ' trusted launch disabled.' end as reason , vm.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_virtual_machine vm, azure_subscription subwhere sub.subscription_id = vm.subscription_id;