Ensure That Compute Instances Have Confidential Computing Enabled

MEDIUM

Description

Description:

Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use-while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC(TM) CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.

Rationale:

Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.

'- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.

Additional charges may be incurred when enabling this security feature. See https://cloud.google.com/compute/confidential-vm/pricing for more info.

Remediation

Confidential Computing can only be enabled when an instance is created. You must delete the current instance and create a new one.

From Google Cloud Console

Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
Click 'CREATE INSTANCE'.
Fill out the desired configuration for your instance.
Under the 'Confidential VM service' section, check the option 'Enable the Confidential Computing service on this VM instance'.
Click 'Create'.

From Google Cloud CLI

Create a new instance with Confidential Compute enabled.

gcloud compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE

Policy Details

Rule Reference ID: AC_GCP_0281

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_compute_instance

Resource Category: Compute

Resource Type: Virtual Machine

Frameworks

CIS Google Cloud Platform Foundations v1.3.0 Level 2
CIS Google Cloud Platform Foundations v2.0.0 Level 2
CSCv8
NIST-800-53
NIST-800-171
NIST-CSF
GDPR
HIPAA
CSCv7
PCI-DSSv4.0
CIS Google Cloud Platform Foundations v1.2.0 Level 2

Detections

Analytics