turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.2.1.2.4 (L2) Ensure viewers and commenters ability to download, print, and copy files is disabled

Description

limit what viewers/commenters on a shared document can do with it.

In many cases when sharing a document it might be fine for the users to do what they want with the document on the shared drive (Download, Print, etc.). In more restricted environments these capabilities may need to be prevented (Protected Intellectual property, Personally Identifiable Information, etc.).

Remediation

To verify this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Drive and Docs.
  5. Select Sharing settings.
  6. Under Shared drive creation, set Allow viewers and commenters to download, print, and copy files to unchecked.
  7. Select Save.

Default Value

Allow viewers and commenters to download, print, and copy files is unchecked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_4 --share

SQL

This control uses a named query:

select
name as resource,
case
when copy_requires_writer_permission = true then 'ok'
else 'alarm'
end as status,
case
when copy_requires_writer_permission = true then 'Shared drive "' || name || '" restricts viewer download/print/copy capabilities.'
else 'Shared drive "' || name || '" allows viewers to download/print/copy files.'
end as reason
from
googleworkspace_drive;

Tags