Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Upgrades for Workbench Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VertexAI-005

To get the latest features, performance improvements, and security updates without manual intervention, ensure that automatic upgrades for Vertex AI Workbench notebook instances are enabled. Once auto-upgrades are enabled, Vertex AI Workbench will check, during a recurring time period that you specify, whether your notebook instances can be upgraded, and if so, the service will upgrade your instances.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Operational
excellence

Vertex AI Workbench notebook instances are Deep Learning VM image instances with ready-to-use JupyterLab notebook environments. To access new features and capabilities or take advantage of the latest framework updates, package improvements, and bug fixes, enable automatic upgrades for all your Vertex AI Workbench notebook instances.

Audit

To determine if automatic upgrades are enabled for your Vertex AI notebook instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Vertex AI console available at https://console.cloud.google.com/vertex-ai.

04 In the main navigation panel, under NOTEBOOKS, choose Workbench, and select the INSTANCES tab.

05 Choose View: INSTANCES to list the Vertex AI notebook instances created for the selected GCP project.

06 Click on the name (link) of the notebook instance that you want to examine.

07 Select the SYSTEM tab and check the Environment auto-upgrade setting checkbox. If the Environment auto-upgrade checkbox is unchecked, the selected Vertex AI Workbench notebook instance is not configured with automatic upgrades.

08 Repeat steps no. 6 and 7 for each Vertex AI notebook instance launched for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-vertex-project-123123
cc-appdata-project-112233

03 Run workbench instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter, to describe the name of each Vertex AI notebook instance created for the selected project: 

gcloud workbench instances list
  --project cc-vertex-project-123123
  --location=us-central1-a
  --format="(NAME)"

04 The command output should return the requested notebook instance names: 

NAME: tm-vertex-ai-notebook-instance
NAME: tm-development-notebook-instance

05 Run workbench instances describe command (Windows/macOS/Linux) with the name of the Vertex AI Workbench notebook instance that you want to examine as the identifier parameter and custom output filters to describe the auto-upgrade schedule configured for the selected instance: 

gcloud workbench instances describe tm-vertex-ai-notebook-instance
  --location=us-central1-a
  --format="yaml(gceSetup.metadata.notebook-upgrade-schedule)"

06 The command output should return the auto-upgrade schedule for the selected instance or null if the feature is disabled: 

null

If the workbench instances describe command output returns null, as shown in the output example above, the selected Vertex AI Workbench notebook instance is not configured with automatic upgrades.

07 Repeat steps no. 5 and 6 for each Vertex AI notebook instance provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable automatic upgrades for your Vertex AI Workbench notebook instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Vertex AI console available at https://console.cloud.google.com/vertex-ai.

04 In the main navigation panel, under NOTEBOOKS, choose Workbench, and select the INSTANCES tab.

05 Choose View: INSTANCES to list the Vertex AI notebook instances created for the selected GCP project.

06 Click on the name (link) of the notebook instance that you want to configure.

07 Select the SYSTEM tab and check the Environment auto-upgrade setting checkbox to enable automatic upgrades for the selected Vertex AI Workbench notebook instance. Choose whether to upgrade your notebook instance Weekly or Monthly, then choose SUBMIT at the bottom of the page to apply the configuration changes. If no upgrade is found during the system check, your instance won't be shut down.

08 Repeat steps no. 6 and 7 for each Vertex AI notebook instance that you want to configure, launched for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run workbench instances update command (Windows/macOS/Linux) with the name of the Vertex AI notebook instance that you want to update as the identifier parameter, to enable automatic upgrades for the selected notebook instance. The feature can be enabled by setting the auto-upgrade process schedule. The following example sets the auto-upgrade schedule to every Sunday between 3:00 and 3:59 AM: 

gcloud workbench instances update tm-vertex-ai-notebook-instance
  --location=us-central1-a
  --metadata 'notebook-upgrade-schedule'='3 12 * * SUN'
  --format="yaml(gceSetup.metadata.notebook-upgrade-schedule)"

02 The command output should return the auto-upgrade schedule configured for the selected instance: 

Waiting for operation on Instance [tm-vertex-ai-notebook-instance] to be updated with [projects/cc-vertex-project-123123/locations/us-central1-a/operations/operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234]...done.
Updated workbench instance tm-vertex-ai-notebook-instance [https://notebooks.googleapis.com/v2/projects/cc-vertex-project-123123/locations/us-central1-a/operations/operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234].

gceSetup:
	metadata:
	notebook-upgrade-schedule: 3 12 * * SUN

03 Repeat step no. 1 and 2 for each Vertex AI notebook instance that you want to update, created for the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Jul 8, 2024

Related VertexAI rules