Control: 3.1.6.2 (L1) Ensure creating groups is restricted
Description
Control who is allowed to create Groups in your organization and if they can have external members.
The organization should have some control over the organizational groups created and the purpose they are for.
Remediation
To configure this setting via the Google Workspace Admin Console:
- Log in to
https://admin.google.comas an administrator. - Select
Apps. - Select
Google Workspace. - Select
Groups for Business. - Select
Creating groups. - Select
Only organization admins can create groups. - Set
Group owners can allow external members Organization admins can always add external memberstounchecked. - Set
Group owners can allow incoming email from outside the organizationtounchecked. - Select
Save.
Default Value
Anyone in the organization can create groupsisselectedGroup owners can allow external members Organization admins can always add external membersisuncheckedGroup owners can allow incoming email from outside the organizationisunchecked
Usage
Run the control in your terminal:
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2 --shareSQL
This control uses a named query:
with group_creation_stats as ( select count(*) as total_groups, count(*) filter (where admin_created = true) as admin_created_groups, count(*) filter (where admin_created = false) as user_created_groups from googledirectory_group)select 'organization' as resource, case when user_created_groups = 0 then 'ok' else 'alarm' end as status, case when user_created_groups = 0 then 'All ' || total_groups || ' groups were created by administrators.' else 'Found ' || user_created_groups || ' groups created by users out of ' || total_groups || ' total groups.' end as reasonfrom group_creation_stats;