Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Confidential Computing for Virtual Machine Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ComputeEngine-011

Ensure that the Confidential Computing security feature is enabled for your Google Cloud virtual machine (VM) instances in order to add protection to your sensitive data in use by keeping it encrypted in memory and using encryption keys that Google doesn't have access to. Confidential Computing is a breakthrough technology which encrypts data while it is being processed. This technology keeps data encrypted in memory, outside the CPU.

This rule resolution is part of the Conformity solution.

Security
Operational
excellence

Confidential Computing keeps your sensitive data encrypted while it is used, indexed, queried, or trained on, and does not allow Google to access the encryption keys (these keys are generated in hardware, per VM instance, and can't be exported). In this way, the Confidential Computing feature can help alleviate concerns about risk related to either dependency on Google Cloud infrastructure or Google insiders' access to your data in the clear.

Audit

To determine if Confidential Computing is enabled for your VM instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name (link) of the VM instance that you want to examine.

06 Select the DETAILS tab to access the instance configuration details and check the Confidential VM service configuration status. If the Confidential VM service status is set to Disabled, the Confidential Computing feature is not enabled for the selected virtual machine (VM) instance.

07 Repeat step no. 5 and 6 for each virtual machine instance launched within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the GCP projects available within your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the zone for each VM instance launched for the selected project: 

gcloud compute instances list
  --project cc-web-stack-project-123123
  --format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME:                     ZONE:
cc-frontend-vm-instance   us-central1-a
cc-backend-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as the identifier parameter and custom filtering to describe the configuration status of the Confidential Computing feature set for the selected VM instance: 

gcloud compute instances describe cc-frontend-vm-instance
  --zone us-central1-a
  --format="value(confidentialInstanceConfig.enableConfidentialCompute)"

06 The command output should return the requested feature configuration status (True for enabled, False for disabled): 

False

If the compute instances describe command output returns False, the Confidential Computing feature is not enabled for the selected virtual machine (VM) instance.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Enabling Confidential Computing for your existing Google Cloud virtual machine (VM) instances is not supported. To turn on the feature, you have to re-create your VM instances with the appropriate configuration by performing the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Choose the virtual machine (VM) instance that you want to reconfigure and click on the 3-dot button for instance menu options and select Create new machine image to create an image from the selected instance.

06 On the Create a machine image page, provide a name for your new machine image in the Name box, choose the location at which to store the image and the encryption key required to encrypt the data, then choose CREATE to create the new virtual machine image.

07 Once the machine image is successfully created (i.e. the status is set to Ready), click on the 3-dot button for image menu options and select Create instance to create a virtual machine (VM) instance from the newly created image.

08 On the Create an instance setup page, perform the following actions:

  1. Provide a unique name for the new instance in the Name box.
  2. Select Enable the Confidential Computing service on this VM instance under Confidential VM service to enable the Confidential Computing security feature for the selected VM instance.
  3. In the Enable Confidential Computing service confirmation box, review the list of instance settings that are updated when you enable Confidential Computing, then choose ENABLE to turn on the feature. Enabling Confidential Computing may change the following fields if these were set to incompatible values:
  4. Choose NETWORKING, DISKS, SECURITY, MANAGEMENT, SOLE-TENANCY and ensure that the right configuration setting are deployed.
  5. Choose CREATE to launch your new virtual machine (VM) instance.

09 (Optional) To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, perform the following actions:

  1. In the navigation panel, select VM instances.
  2. Choose the VM instance that you want to remove, then click on the 3-dot button for instance menu options and select Delete to initiate the removal process.
  3. In the Delete <instance-name> confirmation box, select DELETE to confirm the action and remove the selected VM instance from your project.

10 Repeat steps no. 5 – 9 to enable Confidential Computing for other virtual machine (VM) instances created for the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute images create command (Windows/macOS/Linux) to create a machine image from the virtual machine (VM) instance that you want to re-create. Include the --force flag to create the image from a running instance (by default, you can't create images from running VM instances): 

gcloud compute images create cc-production-instance-image
  --source-disk cc-production-instance
  --source-disk-zone us-central1-a
  --storage-location us-central1
  --force

02 The command output should return the metadata for the newly created machine image: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-production-instance-image].

NAME                          PROJECT                     FAMILY  DEPRECATED  STATUS
cc-production-instance-image  cc-web-stack-project-123123                     READY

03 Run compute instances create command (Windows/macOS/Linux) using the name of the machine image created at the previous steps as the configuration parameter, to create a new virtual machine (VM) instance from the selected image. To enable the Confidential Computing feature for the new VM instance, include the --confidential-compute flag to the command request. You must also use --maintenance-policy=TERMINATE because the security feature does not support live migration. Enabling Confidential Computing may change certain instance parameters if they were set to incompatible values. The following example command creates an "n2d-standard-16"-type instance named "cc-new-production-instance" on the AMD SEV CPU platform within the "us-central1-f" zone: 

gcloud compute instances create cc-new-production-instance
  --image-project=cc-web-stack-project-123123
  --image=cc-production-instance-image
  --zone=us-central1-f
  --machine-type=n2d-standard-16
  --confidential-compute
  --maintenance-policy=TERMINATE

04 The command output should return the metadata available for the new VM instance: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-new-production-instance].

NAME                        ZONE           MACHINE_TYPE     INTERNAL_IP  EXTERNAL_IP      STATUS
cc-new-production-instance  us-central1-f  n2d-standard-16  10.128.0.5   xxx.xxx.xxx.xxx  RUNNING

05 (Optional) To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the source (non-compliant) instance that you want to remove as the identifier parameter to remove the selected resource from your GCP project: 

gcloud compute instances delete cc-production-instance
  --zone us-central1-a

06 Press Y at the command prompt to confirm the resource removal: 

The following instances will be deleted. Any attached disks configured
 to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
 for keeping. Deleting a disk is irreversible and any data on the disk
 will be lost.
 - [cc-production-instance] in [us-central1-a]
Do you want to continue (Y/n)?

07 The command output should return the URL of the deleted VM instance: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

08 Repeat steps no. 1 – 7 to enable Confidential Computing for other virtual machine (VM) instances provisioned for the selected project.

09 Repeat steps no. 1 – 8 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 8, 2022

Related ComputeEngine rules