Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-googleworkspace-compliance
Overview
1Dashboards
12Benchmarks
12Queries
1Variables
GitHub

Control: 3.1.3.5.1 (L2) Ensure POP and IMAP access is disabled for all users

Description

POP and IMAP may allow users to access Gmail using legacy or unapproved email clients that do not support modern authentication mechanisms, such as multifactor authentication.

Disabling POP and IMAP prevents use of legacy and unapproved email clients with weaker authentication mechanisms that would increase the risk of email account credential compromise.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Gmail.
  5. Under End User Access - POP and IMAP Access.
  6. Set Enable IMAP access for all users to unchecked.
  7. Set Enable POP access for all users to unchecked.
  8. Select Save.

Default Value

  • Enable IMAP access for all users is checked
  • Enable POP access for all users is checked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_3_5_1 --share

SQL

This control uses a named query:

with all_users as (
  select primary_email as user_email from googledirectory_user
),
gmail_settings as (
  select 
    u.user_email,
    gs.pop,
    gs.imap
  from all_users u
  left join googleworkspace_gmail_settings gs on gs.user_email = u.user_email
)
select
  user_email as resource,
  case
    when (pop ->> 'accessWindow' = 'disabled' or pop ->> 'accessWindow' is null)
    and (imap ->> 'enabled' = 'false' or imap ->> 'enabled' is null) then 'ok'
    else 'alarm'
  end as status,
  case
    when (pop ->> 'accessWindow' = 'disabled' or pop ->> 'accessWindow' is null)
    and (imap ->> 'enabled' = 'false' or imap ->> 'enabled' is null) then 'POP and IMAP access disabled for user: ' || user_email || '.'
    when pop ->> 'accessWindow' != 'disabled' and pop ->> 'accessWindow' is not null then 'POP access enabled for user: ' || user_email || ' (access window: ' || (pop ->> 'accessWindow') || ').'
    when imap ->> 'enabled' = 'true' then 'IMAP access enabled for user: ' || user_email || '.'
    else 'POP or IMAP access may be enabled for user: ' || user_email || '.'
  end as reason
from
  gmail_settings;

Tags

category = Compliance
cis = true
cis_item_id = 3.1.3.5.1
cis_level = 2
cis_section_id = 3.1.3.5
cis_type = manual
cis_version = v1.2.0
plugin = googleworkspace
service = GoogleWorkspace/Gmail