Google Compute Engine
      Back to home
      1. CNS Policies
      2. GCP Knowledge Base
      3. Google Compute Engine

      VM Instance Disks Auto Delete Enabled

      Ensures that Virtual Machine instances have the auto-delete feature disabled.

      Risk Level: Low

      Description

      This plugin ensures that Virtual Machine instances have the auto-delete feature disabled. This feature lets you automatically delete the persistent disks whenever the associated VM instance is deleted when the value is set to true. A persistent disk can be used as a boot disk or a data disk for a VM instance.

      About the Service

      Google Cloud Compute Engine:

      Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

      Impact

      When this feature is enabled, if a VM instance is deleted, then the persistent disks associated with it are also deleted.  However, after uninstalling the instance, you may still require those disks. As a result, to ensure optimum security, PingSafe advises turning off the auto-delete feature.

      Steps to Reproduce

      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can click this link here to navigate directly if you’re already logged in.
      4. Select the VM instance you want to investigate from the list of instances and go to the Details tab to examine the details of the VM instance selected.
      5. Scroll down to the Storage section and check the When deleting instance status for all the Boot disks, Local disks, and Additional disks. If it is set to Delete disk, then auto-delete is enabled.
      6. Repeat steps 4 and 5 for all the VM instances you want to investigate in the selected project.
      7. If you have multiple projects that you want to investigate, repeat steps 2 to 6 for each project in your GCP console.

      Steps for Remediation

      Determine whether or not you truly require auto-delete to be enabled. If not, make the necessary changes to disable it using the steps given below.


      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link here to navigate directly if you’re already logged in.
      4. From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
      5. Select the Edit option from the top navigation bar of the VM instance details page.
      6. Scroll down to the Storage section and select Keep disk option for the Deletion rule configuration. Click SAVE to save the changes.
      7. Repeat steps 4 to 6 for all the VM instances you want to reconfigure in the selected project.
      8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP console.