lacework-global-308
4.11 Ensure That Compute Instances Have Confidential Computing Enabled (Automated)
Profile Applicability
• Level 2
Description
Google Cloud encrypts data at-rest and in-transit, but it is necessary to decrypt customer data for processing. Confidential Computing is a breakthrough technology which encrypts data in-use while processing the data. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of Advanced Micro Devices (AMD) EPYC(TM) CPUs. Customer data stays encrypted during use, indexing, querying, or training usage. The encryption keys are hardware generated per VM, and are not exportable. Thanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.
Rationale
Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.
Impact
- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.
- Additional charges may be incurred when enabling this security feature. See https://cloud.google.com/compute/confidential-vm/pricing for more info.
Audit
Confidential Computing is currently only supported on N2D machines. To learn more about types of N2D machines, visit https://cloud.google.com/compute/docs/machine-types#n2d_machine_types
From Console:
Go to the
VM instancespage by visiting: https://console.cloud.google.com/compute/instances.Click on the instance name to see its VM instance details page.
Ensure that
Confidential VM serviceisEnabled.
From Command Line:
- List the instances in your project and get details on each instance:
gcloud compute instances list --format=json
- Ensure that
enableConfidentialComputeis set totruefor all instances with machine type starting with "n2d-".
confidentialInstanceConfig:
enableConfidentialCompute: true
Remediation
Enabling of Confidential Computing is only possible during instance creation. You must delete the current instance and create a new one.
From Console:
Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.
Click
CREATE INSTANCE.Fill out the desired configuration for your instance.
Under the
Confidential VM servicesection, selectEnable the Confidential Computing service on this VM instance.Click
Create.
From Command Line:
Create a new instance with Confidential Compute enabled.
gcloud beta compute instances create <instance_name> --zone <zone> --confidential-compute --maintenance-policy=TERMINATE
References
https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance
https://cloud.google.com/compute/confidential-vm/docs/about-cvm
https://cloud.google.com/confidential-computing
https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms