turbot/steampipe-mod-googleworkspace-compliance

Control: 4.1.1.3 (L1) Ensure 2-Step Verification (Multi-Factor Authentication) is enforced for all users

Description

Enforce 2-Step Verification (Multi-Factor Authentication) for all users.

Add an extra layer of security to users accounts by asking users to verify their identity when they enter a username and password. 2-Step Verification (Multi-factor authentication) requires an individual to present a minimum of two separate forms of authentication before access is granted. 2-Step Verification provides additional assurance that the individual attempting to gain access is who they claim to be. With 2-Step Verification, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.

Remediation

To configure this setting via the Google Workspace Admin Console:

  1. Log in to https://admin.google.com as an administrator.
  2. Select Security.
  3. Select 2-Step Verification.
  4. Under Authentication, check - Allow users to turn on 2-Step Verification.
  5. Set Enforcement to On.
  6. Set New user enrollment period to 2 weeks.
  7. Under Frequency, uncheck - Allow user to trust device.
  8. Under Methods, select - Any except verification codes via text, phone call.
  9. Select Save.

Default Value

  • Allow users to turn on 2-Step Verification is checked
  • Enforcement is Off
  • New user enrollment period is None
  • Frequency - Allow user to trust device is checked
  • Methods is Any

Usage

Run the control in your terminal:

powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run googleworkspace_compliance.control.cis_v120_4_1_1_3 --share

SQL

This control uses a named query:

select
primary_email as resource,
case
when is_enrolled_in_2sv = false then 'alarm'
when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then 'info'
else 'ok'
end as status,
case
when is_enrolled_in_2sv = false then
format('User %s is not enrolled in 2-Step Verification%s.', primary_email,
case
when is_admin then ' (ADMIN)' else '' end)
when is_enrolled_in_2sv = true and is_enforced_in_2sv = false then
format('User %s has 2FA enrolled but not enforced%s.', primary_email,
case
when is_admin then ' (ADMIN)' else '' end)
else
format('User %s has 2-Step Verification properly configured%s.', primary_email,
case
when is_admin then ' (ADMIN)' else '' end)
end as reason
from
googledirectory_user
order by
is_admin desc,
is_enrolled_in_2sv asc,
primary_email;

Tags