π Google GCE Instance Confidential Compute is not enabled π’
- Contextual name: π Instance Confidential Compute is not enabled π’
- ID:
/ce/ca/google/compute-engine/compute-instance-confidential-computing - Located in: π Google GCE
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-useβwhile it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYCβ’ CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Rationaleβ
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.
... see more
Remediationβ
Remediationβ
Confidential Computing can only be enabled when an instance is created. You must delete the current instance and create a new one.
From Google Cloud Consoleβ
- Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances.- Click
CREATE INSTANCE.- Fill out the desired configuration for your instance.
- Under the
Confidential VM servicesection, check the optionEnable the Confidential Computing service on this VM instance.- Click
Create.From Google Cloud CLIβ
Create a new instance with Confidential Compute enabled.
gcloud compute instances create <INSTANCE_NAME> --zone <ZONE> --confidential-compute --maintenance-policy=TERMINATE
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 4.11 Ensure That Compute Instances Have Confidential Computing Enabled - Level 2 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Encryption | 31 |