GCP-VM-Instances-Confidential-Computing-Disabled

Severity: Medium

Description: This control ensures that compute instances have Confidential Computing enabled. Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing encrypts data in-use-while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU). Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated in hardware, per VM, and not exportable.

Remediation Steps:

Perform following to enable confidential computing on instance :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Go to the VM instances page.

3. Click on CREATE INSTANCE.

4. Fill out the desired configuration for your instance.

5. Under the Confidential VM service section, check the option Enable the Confidential Computing service on this VM instance.

6. Click on Create.

Important:

GCP does not support updating confidential computing configuration once the instance is created, so a new instance must be created.

Reference:

• CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #4.11

• https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance

• https://cloud.google.com/compute/confidential-vm/docs/about-cvm

• https://cloud.google.com/confidential-computing

• https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms