Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-googleworkspace-compliance
Overview
1Dashboards
12Benchmarks
12Queries
1Variables
GitHub

Control: 4.1.1.1 (L1) Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users in administrative roles

Description

Enforce 2-Step Verification (Multi-Factor Authentication) for all users assigned administrative roles. These include roles such as:

  • Help Desk Admin
  • Groups Admin
  • Super Admin
  • Services Admin
  • User Management Admin
  • Mobile Admin
  • Android Admin
  • Custom Admin Roles.

Add an extra layer of security to users accounts by asking users to verify their identity when they enter a username and password. 2-Step Verification (Multi-factor authentication) requires an individual to present a minimum of two separate forms of authentication before access is granted. 2-Step Verification provides additional assurance that the individual attempting to gain access is who they claim to be. With 2-Step Verification, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To verify this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Go to Security and click on 2-Step Verification.
  3. Select the appropriate group with ALL ADMIN ROLES -- Create this group if needed.
  4. Under Authentication, set Allow users to turn on 2-Step Verification to checked.
  5. Set Enforcement to On.
  6. Set New user enrollment period is set to 2 weeks.
  7. Under Frequency, set Allow user to trust device to unchecked.
  8. Under Methods, set Any except verification codes via text, phone call to selected.
  9. Select Save.

Default Value

  • Allow users to turn on 2-Step Verification is checked
  • Enforcement is Off
  • New user enrollment period is None
  • Frequency - Allow user to trust device is checked
  • Methods is Any

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_1 --share

SQL

This control uses a named query:

with admin_users as (
  select 
    u.primary_email,
    u.is_admin,
    u.is_delegated_admin,
    u.is_enrolled_in_2sv,
    u.is_enforced_in_2sv,
    r.role_name,
    r.is_super_admin_role
  from googledirectory_user u
  left join googledirectory_role_assignment ra on u.id = ra.assigned_to
  left join googledirectory_role r on ra.role_id = r.role_id
  where u.is_admin = true or u.is_delegated_admin = true
)
select
  primary_email as resource,
  case
    when is_enrolled_in_2sv = false then 'alarm'
    when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then 'info'
    else 'ok'
  end as status,
  case
    when is_enrolled_in_2sv = false then 
      format('Admin user %s is not enrolled in 2-Step Verification (role: %s).', primary_email, coalesce(role_name, 'Admin'))
    when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then
      format('Admin user %s has 2FA enrolled but not enforced (role: %s).', primary_email, coalesce(role_name, 'Admin'))
    else 
      format('Admin user %s has 2-Step Verification properly configured (role: %s).', primary_email, coalesce(role_name, 'Admin'))
  end as reason
from
  admin_users
order by
  is_super_admin_role desc,
  is_enrolled_in_2sv asc,
  primary_email;

Tags

category = Compliance
cis = true
cis_item_id = 4.1.1.1
cis_level = 1
cis_section_id = 4.1.1
cis_type = manual
cis_version = v1.2.0
plugin = googleworkspace
service = GoogleWorkspace/General