More Info:

Confidential Computing enables customers’ sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders’ access to customer data in the clear.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for Google Cloud Platform (GCP) using GCP console, follow the below steps:
  1. Open the GCP Console and navigate to the Compute Engine page.
  2. Select the instance(s) for which you want to enable Confidential Computing.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Confidential Computing” section and select the checkbox next to “Enable Confidential VMs”.
  5. Click on the “Save” button at the bottom of the page to save the changes.
Once you have completed the above steps, Confidential Computing will be enabled for the selected instance(s) in GCP.

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to enable Confidential Computing for the specific instance: 
gcloud beta compute instances update INSTANCE_NAME --confidential-computing
Replace INSTANCE_NAME with the name of the instance for which you want to enable Confidential Computing.
  1. Verify that Confidential Computing is enabled for the instance by running the following command:
gcloud compute instances describe INSTANCE_NAME --format="get(confidentialComputing.enable)"
Replace INSTANCE_NAME with the name of the instance for which you enabled Confidential Computing.If the output of the command is True, then Confidential Computing is enabled for the instance. If the output is False, then you need to troubleshoot and ensure that the command was executed correctly.By following these steps, you can remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using Python, you can follow the steps given below:
  1. First, you need to create a new instance with Confidential Computing enabled. You can do this using the following Python code:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-instance-name'
machine_type = 'n2d-standard-2'

config = {
    'confidentialInstanceConfig': {
        'enableConfidentialCompute': True
    }
}

instance_body = {
    'name': instance_name,
    'machineType': f'zones/{zone}/machineTypes/{machine_type}',
    'confidentialInstanceConfig': config
}

request = service.instances().insert(project=project, zone=zone, body=instance_body)
response = request.execute()

print(response)
  1. Once the new instance is created, you can migrate your workload to this new instance. You can use tools like CloudEndure or manually migrate your workload.
  2. Finally, you need to delete the old instance without Confidential Computing enabled. You can do this using the following Python code: 
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-old-instance-name'

request = service.instances().delete(project=project, zone=zone, instance=instance_name)
response = request.execute()

print(response)
Note: Before deleting the old instance, make sure to take a backup of any data or configuration that you might need.

Additional Reading: