Control: 1.1.3 (L1) Ensure super admin accounts are used only for super admin activities
Description
Super admin accounts have access to all features in the Google Admin console and Admin API and can manage every aspect of your organization's account. Super admins also have full access to all users' calendars and event details.
It is recommended to give each super administrator two accounts. One for their super admin account and a second account for daily activities. Users should only sign in to a super admin account to perform super admin tasks, such as setting up 2-Step Verification (2SV), managing billing and user licenses, or helping another admin recover their account. Super administrators should use a separate, non-admin account for day-to-day activities.
Super admins should sign in as needed to do specific tasks and then sign out. Leaving super admin accounts sign-in can increase exposure to phishing attacks.
Use the super admin account only when needed. Delegate administrator tasks to user accounts with limited admin roles. Use the least privilege approach, where each user has access to the resources and tools needed for their typical tasks. For example, you could grant an admin permissions to create user accounts and reset passwords, but not let them delete user accounts.
Remediation
For every Super admin
that is also a Delegated admin
account, either create a Delegated admin
account for the user of elevate or their existing non-admin account to a Delegated admin
account.
Default Value
N/A
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_1_1_3 --share
SQL
This control uses a named query:
with dual_role_admins as ( select primary_email, full_name, id from googledirectory_user where is_admin = true and is_delegated_admin = true),summary as ( select count(*) as dual_role_count from dual_role_admins)select 'organization' as resource, case when dual_role_count = 0 then 'ok' else 'alarm' end as status, case when dual_role_count = 0 then 'All super admin accounts are dedicated (no dual admin roles).' else 'Found ' || dual_role_count || ' super admin account(s) that also have delegated admin roles.' end as reasonfrom summary;