Ensure That Compute Instances Have Confidential Computing Enabled

More Info:

Confidential Computing enables customers’ sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders’ access to customer data in the clear.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP console.
Run the following command to enable Confidential Computing for the specific instance:

gcloud beta compute instances update INSTANCE_NAME --confidential-computing

Replace INSTANCE_NAME with the name of the instance for which you want to enable Confidential Computing.

Verify that Confidential Computing is enabled for the instance by running the following command:

gcloud compute instances describe INSTANCE_NAME --format="get(confidentialComputing.enable)"

Replace INSTANCE_NAME with the name of the instance for which you enabled Confidential Computing.If the output of the command is True, then Confidential Computing is enabled for the instance. If the output is False, then you need to troubleshoot and ensure that the command was executed correctly.By following these steps, you can remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using Python, you can follow the steps given below:

First, you need to create a new instance with Confidential Computing enabled. You can do this using the following Python code:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-instance-name'
machine_type = 'n2d-standard-2'

config = {
    'confidentialInstanceConfig': {
        'enableConfidentialCompute': True
    }
}

instance_body = {
    'name': instance_name,
    'machineType': f'zones/{zone}/machineTypes/{machine_type}',
    'confidentialInstanceConfig': config
}

request = service.instances().insert(project=project, zone=zone, body=instance_body)
response = request.execute()

print(response)

Once the new instance is created, you can migrate your workload to this new instance. You can use tools like CloudEndure or manually migrate your workload.
Finally, you need to delete the old instance without Confidential Computing enabled. You can do this using the following Python code:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-old-instance-name'

request = service.instances().delete(project=project, zone=zone, instance=instance_name)
response = request.execute()

print(response)

Note: Before deleting the old instance, make sure to take a backup of any data or configuration that you might need.

Additional Reading:

https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Ensure That Compute Instances Have Confidential Computing Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: