---
title: Secure Boot for Shielded GKE Nodes should be enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Secure Boot for Shielded GKE Nodes
  should be enabled
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Secure Boot for Shielded GKE Nodes should be enabled
 
## Description{% #description %}

GKE Shielded node pools should enable Secure Boot to verify the digital signature of all node boot components and halt the boot process if signature verification fails. This helps ensure that only authentic, untampered software runs during system initialization.

## Remediation{% #remediation %}

Secure Boot cannot be enabled on an existing node pool. Create a new node pool with Secure Boot enabled, migrate workloads to it, then delete the non-conforming pool. See [Using Shielded GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes) for guidance.

## References{% #references %}

- [Using Shielded GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes)
- [CIS Google Kubernetes Engine (GKE) Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
