Workbench Instance Encryption with Customer-Managed Encryption Keys

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Vertex AI console available at https://console.cloud.google.com/vertex-ai.

04 In the main navigation panel, under NOTEBOOKS, choose Workbench, and select the INSTANCES tab.

05 Choose View: INSTANCES to list the Vertex AI notebook instances created for the selected GCP project.

06 Click on the name (link) of the notebook instance that you want to examine.

07 Select the SYSTEM tab and choose View in Compute Engine next to VM details to view the VM instance details in Google Cloud Compute Engine.

08 Select the Details tab to access the configuration details available for selected instance.

09 Under Storage, in the Boot disk and Additional disks sections, check the encryption type available in the Encryption column for each disk attached to the instance. If one or both instance disks do not have the Encryption type set to Customer managed, the data on the selected Vertex AI notebook instance is not encrypted with a Customer-Managed Encryption Key (CMEK).

10 Repeat steps no. 6 - 9 for each Vertex AI notebook instance launched for the selected GCP project.

11 Repeat steps no. 2 – 10 for each project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s):

PROJECT_ID
cc-vertex-project-123123
cc-appdata-project-112233

03 Run workbench instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter, to describe the name of each Vertex AI notebook instance created for the selected project:

gcloud workbench instances list
  --project cc-vertex-project-123123
  --location=us-central1-a
  --format="(NAME)"

04 The command output should return the requested notebook instance names:

NAME: tm-vertex-ai-notebook-instance
NAME: tm-development-notebook-instance

05 Run workbench instances describe command (Windows/macOS/Linux) with the name of the Vertex AI notebook instance that you want to examine as the identifier parameter and custom output filters to describe the type of the encryption key used by the selected instance for the boot disk:

gcloud workbench instances describe tm-vertex-ai-notebook-instance
  --location=us-central1-a
  --format="value(gceSetup.bootDisk.diskEncryption)"

06 The command output should return the type of the encryption key used by the boot disk (Google-managed or customer-managed):

GMEK

07 Run workbench instances describe command (Windows/macOS/Linux) with the name of the Vertex AI notebook instance that you want to examine as the identifier parameter and custom output filters to describe the type of the encryption key used by the selected instance for the attached data disks:

gcloud workbench instances describe tm-vertex-ai-notebook-instance
  --location=us-central1-a
  --format="value(gceSetup.dataDisks.diskEncryption)"

08 The command output should return the type of the encryption key used by the data disks (GMEK or CMEK):

GMEK

09 Repeat steps no. 5 - 8 for each Vertex AI notebook instance provisioned for the selected GCP project.

10 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 To create and configure your new Cloud KMS Customer-Managed Encryption Key (CMEK), perform the following actions:

1. Navigate to Key Management Service (KMS) console available at https://console.cloud.google.com/security/kms.
2. Before you can set up and manage any Customer-Managed Encryption Keys (CMEKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. Choose + CREATE KEY RING from the top menu to set up the required key ring and the new Customer-Managed Encryption Key (CMEK).
3. A key ring requires a name and location. On the Create key ring page, provide a unique name in the Key ring name box, select the appropriate Location type, then choose a location for the key ring from the Region/Multi-region dropdown list. If the CMEKs created later within the key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
4. On the Create key setup page, provide a name for your new key in the Key name box, choose the protection level that you want to use, choose Generated key for Key material, select Symmetric encrypt/decrypt from the Purpose dropdown list to define the types of operations that your cryptographic key can perform, configure the key rotation parameters and labels. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

04 Once the new CMEK is available, navigate to Vertex AI console at https://console.cloud.google.com/vertex-ai.

05 In the main navigation panel, under NOTEBOOKS, choose Workbench, and select the INSTANCES tab.

06 Choose CREATE NEW, select ADVANCED OPTIONS, and perform the following actions to create your new notebook instance:

1. For Details, provide the following information:
   1. For Name, enter a unique name for your new notebook instance.
   2. For Region and Zone, select the GCP location where the instance will be deployed.
   3. (Optional) Check the Enable Dataproc Serverless Interactive Sessions setting checkbox to enable access to Dataproc Spark kernels.
   4. (Optional) For Labels, choose ADD LABEL, and use the Key and Value fields to create labels for the new instance.
   5. (Optional) Use Network tags to assign network tags to your Workbench instance.
   6. For Workbench type, choose Instance.
   7. Choose Continue to continue the instance setup.
2. For Environment, perform the following actions:
   1. Choose whether to use a custom container or the latest version of the Vertex AI Workbench for the instance environment.
   2. (Optional) For Post-startup script, you can select a script that automatically runs after the instance boots up.
   3. (Optional) For Metadata, choose ADD METADATA to add metadata keys to your Workbench instance.
   4. Choose Continue to continue the setup.
3. For Machine type, perform the following operations:
   1. For Machine type, choose the appropriate machine type for your workload.
   2. For Shielded VM, check the Secure Boot, Virtual Trusted Platform Module (vTPM), and Integrity monitoring checkboxes for the most secure instance configuration.
   3. For Idle shutdown, check the Enable Idle Shutdown checkbox to enable the Idle Shutdown feature for the new instance. Enter the preferred idle timeout value (in minutes) in the Time of inactivity before shutdown (Minutes) box.
   4. Choose Continue to continue the setup process.
4. For Disks, perform the following operations:
   1. For Disks, choose the boot disk type and boot disk size (GB) for the instance disks. (Optional) Check the Delete to trash checkbox if you want to use the operating system's trash behavior.
   2. For Encryption, choose Cloud KMS key, and select the Cloud KMS Customer-Managed Encryption Key (CMEK) created at step no. 3. Inside The service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the specified service account the required IAM role on the selected CMEK.
   3. Choose Continue to continue the setup.
5. For Networking, choose Network in this project, and select the appropriate VPC network and subnetwork. Ensure that a custom, non-default VPC network is selected (recommended). Choose whether to allow HTTPS access to your JupyterLab instance. For network isolation and stringent compliance, uncheck the Assign external IP address checkbox to prevent adding an external IP address to the instance. Choose Continue to continue the setup process.
6. For IAM and security, perform the following actions:
   1. For IAM and security, configure who can use the instance's JupyterLab interface. Choose Service account for default instance access or choose Single user to restrict access to one user only. Choose whether to use the default Compute Engine service account or a custom service account.
   2. For Security options, uncheck the Root access to the instance checkbox to disable the root access to the new instance, and choose whether to allow terminal access and file downloads from JupyterLab.
   3. Choose Continue to continue the setup.
7. For System health, perform the following operations:
   1. For System health, check the Environment auto-upgrade checkbox to enable automatic upgrades. Choose whether to upgrade your new instance Weekly or Monthly.
   2. For Reporting, check the Install Cloud Monitoring checkbox to install the Cloud Monitoring agent and enable the Cloud Monitoring feature. You can also check the Report custom metrics to Cloud Monitoring checkbox to collect system status and JupyterLab metrics. Ensure that Report system health and Report DNS status for required Google domains checkboxes are also checked for core service and DNS status verification.
   3. Choose CREATE to launch your new Google Cloud Vertex AI notebook instance.

07 Repeat step no. 6 for each Vertex AI notebook instance that you want to re-create, launched for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

01 Before you can set up and manage your Customer-Managed Encryption Keys (CMEKs), you must create a KMS key ring. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the CMEKs created later within this key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location:

gcloud kms keyrings create vertex-ai-key-ring
  --location=global
  --project=cc-vertex-project-123123
  --format="table(name)"

02 The command output should return the full ID of the newly created key ring:

NAME
projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Cloud KMS Customer-Managed Encryption Key (CMEK) within the KMS key ring created at the previous steps:

gcloud kms keys create vertex-ai-cmek
  --location=global
  --keyring=vertex-ai-key-ring
  --purpose=encryption
  --protection-level=software
  --rotation-period=90d
  --next-rotation-time=2024-8-12T10:00:00.0000Z
  --format="table(name)"

04 The command output should return the name of the new Customer-Managed Encryption Key (CMEK):

NAME
projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring/cryptoKeys/vertex-ai-cmek

05 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS "CryptoKey Encrypter/Decrypter" role to the necessary service account. Replace \<kms-project-id\> with the ID of the Google Cloud project where the Customer-Managed Encryption Keys are provisioned, and replace \<project-number\> with the project number (not the project ID) of the Google Cloud project that is running your Vertex AI notebook instances:

gcloud projects add-iam-policy-binding <kms-project-id>
  --member serviceAccount:service-<project-number>@gcp-sa-notebooks.iam.gserviceaccount.com
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format):

Updated IAM policy for project <kms-project-id>.
bindings:
- members:
- serviceAccount:service-<project-number>@gcp-sa-notebooks.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- members:
- user:admin@trendmicro.com
role: roles/owner
etag: abcdabcdabcd
version: 1

07 Run workbench instances create command (Windows/macOS/Linux) to create the new Google Cloud Vertex AI notebook instance that encrypts data at rest with the Customer-Managed Encryption Key (CMEK) created at step no. 3:

gcloud workbench instances create tm-vertex-ai-notebook-instance
  --project=cc-vertex-project-123123
  --container-repository=gcr.io/deeplearning-platform-release/base-cpu
  --container-tag=latest
  --machine-type=e2-standard-2
  --location=us-central1-a
  --shielded-integrity-monitoring=true
  --shielded-secure-boot=true
  --shielded-vtpm=true
  --boot-disk-encryption=CMEK
  --data-disk-encryption=CMEK
  --boot-disk-kms-key=projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring/cryptoKeys/vertex-ai-cmek
  --data-disk-kms-key=projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring/cryptoKeys/vertex-ai-cmek
  --format="json(gceSetup.bootDisk,gceSetup.dataDisks)"

08 The command output should return the configuration information (including the encryption details) available for the instance disks:

Waiting for operation on Instance [tm-vertex-ai-notebook-instance] to be updated with [projects/cc-vertex-project-123123/locations/us-central1-a/operations/operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234]...done.
Created workbench instance tm-vertex-ai-notebook-instance [https://notebooks.googleapis.com/v2/projects/cc-vertex-project-123123/locations/us-central1-a/operations/operation-abcd1234abcd-abcd1234abcd-abcd1234-abcd1234].

BOOT_DISK: {'diskEncryption': 'CMEK', 'diskSizeGb': '150', 'kmsKey': 'projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring/cryptoKeys/vertex-ai-cmek'}
DATA_DISKS: [{'diskEncryption': 'CMEK', 'diskSizeGb': '100', 'kmsKey': 'projects/cc-vertex-project-123123/locations/global/keyRings/vertex-ai-key-ring/cryptoKeys/vertex-ai-cmek'}]

09 Repeat steps no. 7 and 8 for each Vertex AI notebook instance that you want to re-create, provisioned for the selected GCP project.

10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.