Ensure That Compute Instances Have Confidential Computing Enabled

Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.

Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.CRY.09
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

VMInstance should have confidentialInstanceConfig.enableConfidentialCompute=true

REMEDIATION

From Portal

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
  2. Click CREATE INSTANCE.
  3. Fill out the desired configuration for your instance.
  4. Under the Confidential VM service section, check the option Enable the Confidential Computing service on this VM instance.
  5. Click Create.

From TF
set the 'enable_confidential_compute' to be 'true':

resource 'google_compute_instance' 'default' {
	...
	confidential_instance_config {
		enable_confidential_compute = true
	}
	scheduling {
		on_host_maintenance ='TERMINATE'
	}

From Command Line

Run

gcloud compute instances create INSTANCE_NAME --machine-type 'MACHINE_TYPE' --zone 'ZONE_NAME' --confidential-compute --maintenance-policy=TERMINATE --image=IMAGE_NAME --image-project=IMAGE_PROJECT

References

  1. https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance
  2. https://cloud.google.com/compute/confidential-vm/docs/about-cvm
  3. https://cloud.google.com/confidential-computing
  4. https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP Security Risk Management