Control: 3.1.2.1.2.4 (L2) Ensure viewers and commenters ability to download, print, and copy files is disabled
Description
limit what viewers/commenters on a shared document can do with it.
In many cases when sharing a document it might be fine for the users to do what they want with the document on the shared drive (Download, Print, etc.). In more restricted environments these capabilities may need to be prevented (Protected Intellectual property, Personally Identifiable Information, etc.).
Remediation
To verify this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Select
Apps
. - Select
Google Workspace
. - Select
Drive and Docs
. - Select
Sharing settings
. - Under
Shared drive creation
, setAllow viewers and commenters to download, print, and copy files
tounchecked
. - Select
Save
.
Default Value
Allow viewers and commenters to download, print, and copy files
is unchecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_2_1_2_4 --share
SQL
This control uses a named query:
select name as resource, case when copy_requires_writer_permission = true then 'ok' else 'alarm' end as status, case when copy_requires_writer_permission = true then 'Shared drive "' || name || '" restricts viewer download/print/copy capabilities.' else 'Shared drive "' || name || '" allows viewers to download/print/copy files.' end as reasonfrom googleworkspace_drive;