turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.2.1.2.3 (L1) Ensure shared drive file access is restricted to members only

Description

Shared drive file access should be restricted to that shared drive's members.

Preventing unauthorized users from access sensitive data is paramount in preventing unauthorized or unintentional information disclosures.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Drive and Docs.
  5. Select Sharing settings.
  6. Under Shared drive creation, set Allow people who aren't shared drive members to be added to files to unchecked.
  7. Select Save.

Default Value

Allow people who aren't shared drive members to be added to files is checked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_3 --share

SQL

This control uses a named query:

select
name as resource,
case
when drive_members_only = true then 'ok'
else 'alarm'
end as status,
case
when drive_members_only = true then 'Shared drive "' || name || '" restricts access to members only.'
else 'Shared drive "' || name || '" allows non-member access.'
end as reason
from
googleworkspace_drive;

Tags