Compute instances confidential computing enabled remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in the GCP console.
Run the following command to enable Confidential Computing for the specific instance:

gcloud beta compute instances update INSTANCE_NAME --confidential-computing

Replace INSTANCE_NAME with the name of the instance for which you want to enable Confidential Computing.

Verify that Confidential Computing is enabled for the instance by running the following command:

gcloud compute instances describe INSTANCE_NAME --format="get(confidentialComputing.enable)"

Replace INSTANCE_NAME with the name of the instance for which you enabled Confidential Computing.If the output of the command is True, then Confidential Computing is enabled for the instance. If the output is False, then you need to troubleshoot and ensure that the command was executed correctly.By following these steps, you can remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure That Compute Instances Have Confidential Computing Enabled” for GCP using Python, you can follow the steps given below:

First, you need to create a new instance with Confidential Computing enabled. You can do this using the following Python code:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-instance-name'
machine_type = 'n2d-standard-2'

config = {
    'confidentialInstanceConfig': {
        'enableConfidentialCompute': True
    }
}

instance_body = {
    'name': instance_name,
    'machineType': f'zones/{zone}/machineTypes/{machine_type}',
    'confidentialInstanceConfig': config
}

request = service.instances().insert(project=project, zone=zone, body=instance_body)
response = request.execute()

print(response)

Once the new instance is created, you can migrate your workload to this new instance. You can use tools like CloudEndure or manually migrate your workload.
Finally, you need to delete the old instance without Confidential Computing enabled. You can do this using the following Python code:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'
zone = 'us-central1-a'
instance_name = 'your-old-instance-name'

request = service.instances().delete(project=project, zone=zone, instance=instance_name)
response = request.execute()

print(response)

Note: Before deleting the old instance, make sure to take a backup of any data or configuration that you might need.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Compute instances confidential computing enabled remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation