turbot/steampipe-mod-googleworkspace-compliance

Control: 1.1.1 (L1) Ensure more than one Super Admin account exists

Description

Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided. Also, for larger organizations, having multiple Super Admins can be useful for workload balancing purposes.

From a security point of view, having only a single Super Admin Account can be problematic if this user were unavailable for an extended period of time. Also, Super Admin accounts should never be shared amongst multiple users.

Remediation

Create at least one additional account with a Super Admin role.

NOTE: A new account should be created vs adding this role to an existing account since Administration tasks should be done through separate Admin accounts.

Default Value

All Google Workspace tenants will have one Super Admin initially.

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_1 --share

SQL

This control uses a named query:

with super_admins as (
select
count(*) as count
from
googledirectory_user
where
is_admin = true
)
select
'organization' as resource,
case
when count > 1 then 'ok'
else 'alarm'
end as status,
'Found ' || count || ' super admin account(s).' as reason
from
super_admins;

Tags