Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-googleworkspace-compliance
Overview
1Dashboards
12Benchmarks
12Queries
1Variables
GitHub

Control: 1.1.2 (L1) Ensure no more than 4 Super Admin accounts exist

Description

Having more than one Super Admin account is needed primarily so that a single point of failure can be avoided, but having too many should be avoided.

From a security point of view, having a large number of Super Admin accounts is a bad practice. In general, all users should be assigned the least privileges needed to do their job. This includes Administrators since not everyone that needs to "Administer Something" needs to be a Super Admin. Google Workspaces provides many predefined Administration Roles and also allows the creation of Custom Roles with very granular permission selection.

Remediation

Reduce the number of accounts with a "Super Admin" role.

Default Value

All Google Workspace tenants will have one Super Admin initially.

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_2 --share

SQL

This control uses a named query:

with super_admins as (
  select
    count(*) as count
  from
    googledirectory_user
  where
    is_admin = true
)
select
  'organization' as resource,
  case
    when count <= 4 then 'ok'
    else 'alarm'
  end as status,
  'Found ' || count || ' super admin account(s). Maximum recommended is 4.' as reason
from
  super_admins;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.2
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v1.2.0
plugin = googleworkspace
service = GoogleWorkspace/Directory