Enable Deletion Protection for VM Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your production Google Compute Engine instances have Deletion Protection feature enabled in order to protect them from being accidentally deleted.

Security

Production and mission-critical Google Cloud virtual machine (VM) instances often need to stay running indefinitely, therefore you may need a way to protect these instances from being terminated. With Deletion Protection safety feature enabled, you have the guarantee that your VM instances cannot be accidentally deleted and make sure that your production environment remains safe.


Audit

To determine if your virtual machine (VM) instances are protected from accidental deletion, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details and check the Deletion protection configuration setting status. If the Deletion protection setting is disabled, the selected Google Cloud virtual machine (VM) instance is not protected from accidental deletion.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-frontend-vm-instance   us-central1-a
cc-internal-vm-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the Deletion Protection feature status, available for the selected VM instance:

gcloud compute instances describe cc-frontend-vm-instance
	--zone us-central1-a
	--format="value(deletionProtection)"

06 The command output should return the requested feature configuration status (True for enabled, False for disabled):

False

If the compute instances describe command output returns False, the Deletion Protection security feature is disabled, therefore the selected Google Cloud virtual machine (VM) instance is not protected from accidental deletion.

07 Repeat step no. 5 and 6 for each virtual machine instance launched within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Deletion Protection safety feature for your production and business-critical Google Cloud VM instances, perform the following actions:

Note: You can enable deletion protection for an existing VM instance, regardless of the instance current status. Specifically, stopping the instance before enabling the feature is not required.

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right instance).

06 On the selected resource configuration page, click EDIT to enter the instance edit mode.

07 Under Deletion protection, select Enable deletion protection setting checkbox to enable the Deletion Protection safety feature for the selected Google Cloud VM instance.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 to reconfigure other production virtual machine (VM) instances, available in the selected project, for protection.

10 Repeat steps no. 2 – 10 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances update command (Windows/macOS/Linux) using the name of the instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enable the Deletion Protection security feature for the selected Google Cloud VM instance:

gcloud compute instances update cc-frontend-vm-instance
	--zone us-central1-a
	--deletion-protection

02 The command output should return the compute instances update request status and confirmation:

Setting deletion protection of instance [cc-frontend-vm-instance] to [True]...done.

03 Repeat step no. 1 and 2 to reconfigure other production VM instances, available in the selected project, for deletion protection.

04 Repeat steps no. 1 – 3 for each GCP project deployed within your Google Cloud account.

References

Publication date Apr 21, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Deletion Protection for VM Instances

Risk level: Medium