turbot/steampipe-mod-googleworkspace-compliance

Control: 3.1.6.2 (L1) Ensure creating groups is restricted

Description

Control who is allowed to create Groups in your organization and if they can have external members.

The organization should have some control over the organizational groups created and the purpose they are for.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Apps.
  3. Select Google Workspace.
  4. Select Groups for Business.
  5. Select Creating groups.
  6. Select Only organization admins can create groups.
  7. Set Group owners can allow external members Organization admins can always add external members to unchecked.
  8. Set Group owners can allow incoming email from outside the organization to unchecked.
  9. Select Save.

Default Value

  • Anyone in the organization can create groups is selected
  • Group owners can allow external members Organization admins can always add external members is unchecked
  • Group owners can allow incoming email from outside the organization is unchecked

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_3_1_6_2 --share

SQL

This control uses a named query:

with group_creation_stats as (
select
count(*) as total_groups,
count(*) filter (where admin_created = true) as admin_created_groups,
count(*) filter (where admin_created = false) as user_created_groups
from
googledirectory_group
)
select
'organization' as resource,
case
when user_created_groups = 0 then 'ok'
else 'alarm'
end as status,
case
when user_created_groups = 0 then 'All ' || total_groups || ' groups were created by administrators.'
else 'Found ' || user_created_groups || ' groups created by users out of ' || total_groups || ' total groups.'
end as reason
from
group_creation_stats;

Tags