Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Compute Engine – Enable Confidential Computing
This check ensures that Compute Engine VM instances have Confidential Computing enabled so that data is encrypted in-use using hardware-based memory encryption.
Check Details
- Resource: Compute Engine VM Instance
- Check: Enable Confidential Computing
- Risk: Without Confidential Computing, sensitive data in memory may be exposed to potential unauthorized access or advanced attack vectors.
Remediation via Google Cloud Console
Confidential Computing can only be enabled during VM creation. Existing instances must be deleted and recreated.
-
Log in to the Google Cloud Console and open the
VM instances page.
- Click Create Instance.
- Configure the required VM settings such as name, region, zone, and machine type.
-
Under the Security section, enable
Confidential Computing.
- Click Create to launch the VM instance.
Remediation via Google Cloud CLI
Create a new Compute Engine VM instance with Confidential Computing enabled.
-
Open the Google Cloud Console and click the
Cloud Shell icon (
>_) in the top-right corner.
-
Run the following command:
gcloud compute instances create <INSTANCE_NAME> \ --zone <ZONE> \ --confidential-compute \ --maintenance-policy=TERMINATE
Replace <INSTANCE_NAME> and <ZONE> with the
appropriate values.
Default Value
By default, Confidential Computing is disabled for Compute Engine VM instances.