Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.09
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have confidentialInstanceConfig.enableConfidentialCompute=true

REMEDIATION

From Portal

Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
Click CREATE INSTANCE.
Fill out the desired configuration for your instance.
Under the Confidential VM service section, check the option Enable the Confidential Computing service on this VM instance.
Click Create.

From TF
set the 'enable_confidential_compute' to be 'true':

resource 'google_compute_instance' 'default' {
	...
	confidential_instance_config {
		enable_confidential_compute = true
	}
	scheduling {
		on_host_maintenance ='TERMINATE'
	}

From Command Line

Run

gcloud compute instances create INSTANCE_NAME --machine-type 'MACHINE_TYPE' --zone 'ZONE_NAME' --confidential-compute --maintenance-policy=TERMINATE --image=IMAGE_NAME --image-project=IMAGE_PROJECT

References

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP Security Risk Management