π Azure Virtual Machine Trusted Launch is not enabled π’
- Contextual name: π Trusted Launch is not enabled π’
- ID:
/ce/ca/azure/virtual-machine/trusted-launch - Located in: π Azure Virtual Machines
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. If the attacker is able to bypass Secure Boot and install a malicious bootloader, vTPM can be used to detect the intrusion and alert you.
Rationaleβ
Secure Boot and vTPM work together to protect your VM from a variety of boot attacks, including bootkits, rootkits, and firmware rootkits. Not enabling Trusted Launch in Azure VM can lead to increased vulnerability to rootkits and boot-level malware, reduced ability to detect and prevent unauthorized changes to the boot process, and a potential compromise of system integrity and data security.
Impactβ
Secure Boot and vTPM are not currently supported for Azure Generation 1 VMs.
IMPORTANT: Before enabling Secure Boot and vTPM on a Generation 2 VM which does not already have both enabled, it is highly recommended to create a restore point of the VM prior to remediation.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Virtual Machines.- For each VM, under
Settings, click onConfigurationon the left blade.- Under
Security Type, selectTrusted Launch Virtual Machines.- Make sure
Enable Secure Boot&Enable vTPMare checked.- Click on
Apply.Note: Trusted launch on existing virtual machines (VMs) is currently not supported for Azure Generation 1 VMs.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 7.9 Ensure Trusted Launch is enabled on Virtual Machines - Level 1 (Automated) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 8.11 Ensure Trusted Launch is enabled on Virtual Machines (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 25 |