Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
13Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 4.11 Ensure That Compute Instances Have Confidential Computing Enabled

Description

Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology that encrypts data in-use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

Confidential VMs leverage hardware-based memory encryption technologies, such as AMD Secure Encrypted Virtualization (SEV), AMD SEV-SNP, and Intel Trust Domain Extensions (TDX), depending on the chosen machine type and CPU platform. Customer data will stay encrypted while it is used, indexed, queried, or trained on. Encryption keys are generated by and reside solely in dedicated hardware and are not exportable, enhancing isolation and security. Built-in hardware optimizations ensure Confidential Computing workloads experience minimal to no significant performance penalties.

Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing. Google does not have access to the encryption keys. Confidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.

Remediation

Confidential Computing can only be enabled when an instance is created. You must delete the current instance and create a new one.

From Google Cloud Console

  1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances.

  2. Click CREATE INSTANCE.

  3. Fill out the desired configuration for your instance.

  4. Under the Confidential VM service section, check the option Enable the Confidential Computing service on this VM instance.

  5. Click Create.

From Google Cloud CLI

Create a new instance with Confidential Compute enabled.

gcloud compute instances create <INSTANCE_NAME> --zone <ZONE> --confidential-compute --maintenance-policy=TERMINATE

Default Value

By default, Confidential Computing is disabled for Compute instances.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v400_4_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v400_4_11 --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when confidential_instance_config @> '{"enableConfidentialCompute": true}' then 'ok'
    else 'alarm'
  end as status,
  case
    when confidential_instance_config @> '{"enableConfidentialCompute": true}'
      then title || ' confidential computing enabled.'
    else title || ' confidential computing not enabled.'
  end as reason
  
  , location as location, project as project
from
  gcp_compute_instance;

Tags

benchmark = cis
category = Compliance
cis_item_id = 4.11
cis_level = 2
cis_section_id = 4
cis_type = automated
cis_version = v4.0.0
plugin = gcp
service = GCP/Compute