turbot/steampipe-mod-googleworkspace-compliance

Control: 1.1.3 (L1) Ensure super admin accounts are used only for super admin activities

Description

Super admin accounts have access to all features in the Google Admin console and Admin API and can manage every aspect of your organization's account. Super admins also have full access to all users' calendars and event details.

It is recommended to give each super administrator two accounts. One for their super admin account and a second account for daily activities. Users should only sign in to a super admin account to perform super admin tasks, such as setting up 2-Step Verification (2SV), managing billing and user licenses, or helping another admin recover their account. Super administrators should use a separate, non-admin account for day-to-day activities.

Super admins should sign in as needed to do specific tasks and then sign out. Leaving super admin accounts sign-in can increase exposure to phishing attacks.

Use the super admin account only when needed. Delegate administrator tasks to user accounts with limited admin roles. Use the least privilege approach, where each user has access to the resources and tools needed for their typical tasks. For example, you could grant an admin permissions to create user accounts and reset passwords, but not let them delete user accounts.

Remediation

For every Super admin that is also a Delegated admin account, either create a Delegated admin account for the user of elevate or their existing non-admin account to a Delegated admin account.

Default Value

N/A

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_1_1_3 --share

SQL

This control uses a named query:

with dual_role_admins as (
select
primary_email,
full_name,
id
from
googledirectory_user
where
is_admin = true
and is_delegated_admin = true
),
summary as (
select
count(*) as dual_role_count
from
dual_role_admins
)
select
'organization' as resource,
case
when dual_role_count = 0 then 'ok'
else 'alarm'
end as status,
case
when dual_role_count = 0 then 'All super admin accounts are dedicated (no dual admin roles).'
else 'Found ' || dual_role_count || ' super admin account(s) that also have delegated admin roles.'
end as reason
from
summary;

Tags