Control: Ensure that Compute instances have Confidential Computing enabled
Description
Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.compute_instance_confidential_computing_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.compute_instance_confidential_computing_enabled --shareSQL
This control uses a named query:
select self_link resource, case when confidential_instance_config @> '{"enableConfidentialCompute": true}' then 'ok' else 'alarm' end as status, case when confidential_instance_config @> '{"enableConfidentialCompute": true}' then title || ' confidential computing enabled.' else title || ' confidential computing not enabled.' end as reason , location as location, project as projectfrom gcp_compute_instance;