Control: 3.1.6.2 (L1) Ensure creating groups is restricted
Description
Control who is allowed to create Groups in your organization and if they can have external members.
The organization should have some control over the organizational groups created and the purpose they are for.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.com
as an administrator. - Select
Apps
. - Select
Google Workspace
. - Select
Groups for Business
. - Select
Creating groups
. - Select
Only organization admins can create groups
. - Set
Group owners can allow external members Organization admins can always add external members
tounchecked
. - Set
Group owners can allow incoming email from outside the organization
tounchecked
. - Select
Save
.
Default Value
Anyone in the organization can create groups
isselected
Group owners can allow external members Organization admins can always add external members
isunchecked
Group owners can allow incoming email from outside the organization
isunchecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2 --share
SQL
This control uses a named query:
with group_creation_stats as ( select count(*) as total_groups, count(*) filter (where admin_created = true) as admin_created_groups, count(*) filter (where admin_created = false) as user_created_groups from googledirectory_group)select 'organization' as resource, case when user_created_groups = 0 then 'ok' else 'alarm' end as status, case when user_created_groups = 0 then 'All ' || total_groups || ' groups were created by administrators.' else 'Found ' || user_created_groups || ' groups created by users out of ' || total_groups || ' total groups.' end as reasonfrom group_creation_stats;