Control: 3.1.2.1.1.3 (L2) Ensure document sharing is being controlled by domain with allowlists
Description
You should control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.
Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.comas an administrator. - Select
Apps. - Select
Google Workspace. - Select
Drive and Docs. - Under
Sharing settings, selectSharing options. - Under
Sharing outside of <Company>, selectALLOWLISTED DOMAINS - Files owned by users in <Company> can be shared with Google Accounts in compatible allowlisted domains. - Set
Warn when files owned by users or shared drives in <Company> are shared with users in allowlisted domainstochecked. - Select
Save.
Default Value
Sharing outside of <Company> is ON - Files owned by users in <Company> can be shared outside of <Company>. This applies to files in all shared drives as well.
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_1_3 --shareSQL
This control uses a named query:
select name as resource, case when domain_users_only = true then 'ok' else 'alarm' end as status, case when domain_users_only = true then 'Shared drive "' || name || '" is restricted to domain users only.' else 'Shared drive "' || name || '" allows external domain access.' end as reasonfrom googleworkspace_drive;