turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.2.1.1.3 (L2) Ensure document sharing is being controlled by domain with allowlists

Description

You should control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.

Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Drive and Docs.
  5. Under Sharing settings, select Sharing options.
  6. Under Sharing outside of <Company>, select ALLOWLISTED DOMAINS - Files owned by users in <Company> can be shared with Google Accounts in compatible allowlisted domains.
  7. Set Warn when files owned by users or shared drives in <Company> are shared with users in allowlisted domains to checked.
  8. Select Save.

Default Value

Sharing outside of <Company> is ON - Files owned by users in <Company> can be shared outside of <Company>. This applies to files in all shared drives as well.

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_1_3 --share

SQL

This control uses a named query:

select
name as resource,
case
when domain_users_only = true then 'ok'
else 'alarm'
end as status,
case
when domain_users_only = true then 'Shared drive "' || name || '" is restricted to domain users only.'
else 'Shared drive "' || name || '" allows external domain access.'
end as reason
from
googleworkspace_drive;

Tags