turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.3.1.1 (L1) Ensure users cannot delegate access to their mailbox

Description

Mail delegation allows the delegate to read, send, and delete messages on their behalf. For example, a manager can delegate Gmail access to another person in their organization, such as an administrative assistant.

Only administrators should be able to delegate access to a user's mailboxes.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Gmail.
  5. Under User Settings - Mail delegation, set Let users delegate access to their mailbox to other users in the domain to unchecked.
  6. Select Save.

Default Value

Let users delegate access to their mailbox to other users in the domain is unchecked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_1_1 --share

SQL

This control uses a named query:

with all_users as (
select primary_email as user_email from googledirectory_user
),
gmail_settings as (
select
u.user_email,
gs.delegates
from all_users u
left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email
)
select
user_email as resource,
case
when delegates is null or jsonb_array_length(delegates) = 0 then 'ok'
else 'alarm'
end as status,
case
when delegates is null or jsonb_array_length(delegates) = 0 then 'No mailbox delegation configured for user: ' || user_email || '.'
else 'Mailbox delegation is enabled for user: ' || user_email || ' with ' || jsonb_array_length(delegates) || ' delegate(s).'
end as reason
from
gmail_settings;

Tags