- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.
Shielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits.
Shielded VM instances run firmware which is signed and verified using Google’s Certificate Authority, ensuring that the instance’s firmware is unmodified and establishes trust for Secure Boot.
Integrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.
Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.
To turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.
You can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:
gcloud compute images list --project gce-uefi-images --no-standard-images
gcloud compute instances stop <INSTANCE_NAME>
.gcloud compute instances update <INSTANCE_NAME> --shielded-vtpm --shielded-vm-integrity-monitoring
.gcloud compute instances update <INSTANCE_NAME> --shielded-vm-secure-boot
.gcloud compute instances start <INSTANCE_NAME>
.To ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the Organization Policies page.
For more information, see the Google Cloud documentation.
By default, Compute Instances do not have Shielded VM enabled.
You can only set the canIpForward
field at instance creation time. After an instance is created, the field becomes read-only.
Version 8 - 4.4: Implement and Manage a Firewall on Servers
Version 8 - 4.5: Implement and Manage a Firewall on End-User Devices
Version 7 - 11.1 Maintain Standard Security Configurations for Network Devices
Version 7 - 11.2 Document Traffic Configuration Rules