Assess Google Workspace Security with cnspec
Rely on cnspec to audit and enforce policy for your Google Workspace environment.
Configure access to the Google Workspace API
These steps for configuring Admin SDK API access to your Google Workspace environment rely on Google Cloud (GCP) even if you aren't otherwise using GCP.
-
Create a Google Workspace service account.
- In addition to the APIs that Google requires, also enable:
- Cloud Identity API
- Google Drive API
- After creating the service account, be sure to record the Unique ID on the details page. This is the Client ID to use in the next step.
- Be sure to download and protect the JSON credentials file.
- In addition to the APIs that Google requires, also enable:
-
Log into the Google Workspace Admin Portal.
-
In the left-side navigation, select Security -> Access and data controls -> API controls.
-
Select Domain-wide Delegation and then select Add new.
-
For the Client ID enter the Unique ID of the service account you created.
-
Paste this comma-delimited list to add all 16 read-only OAuth scopes:
https://www.googleapis.com/auth/admin.chrome.printers.readonly,https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.userschema.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-identity.groups.readonly -
In the Google Workspace Admin Portal, navigate to Account -> Account Settings and record the Customer ID.
To test proper configuration, use the cnspec shell to run a sample query:
cnspec shell google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com --credentials-path /home/user/my-project-6646123456789.json
| For... | Substitute... |
|---|---|
--impersonated-user-email | The email address of a user that has super admin privileges |
--credentials-path | The path to the downloaded JSON credentials file |
cnspec returns results similar to these:
cnspec> googleworkspace.users
googleworkspace.users: [
0: {
primaryEmail: "alice@smith.family"
}
1: {
primaryEmail: "betty@smith.family"
}
....
If you prefer, you can use any of these environment variables to provide the credentials file. They're listed in order of precedence:
GOOGLE_APPLICATION_CREDENTIALSGOOGLEWORKSPACE_CREDENTIALSGOOGLEWORKSPACE_CLOUD_KEYFILE_JSONGOOGLE_CREDENTIALS
If any of the variables above and the --credentials-path parameter are both present, the environment variable takes precedence.
$ export GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON=/home/user/my-project-6646123456789.json
$ cnspec shell google-workspace --customer-id 5amp13iD --impersonated-user-email admin@domain.com
___ _ __ ___ _ __ ___ ___
/ __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) | __/ (__
\___|_| |_|___/ .__/ \___|\___|
mondoo™ |_|
cnspec> googleworkspace.users
googleworkspace.users: [
0: {
primaryEmail: "alice@smith.family"
}
1: {
primaryEmail: "betty@smith.family"
}
....
Example queries and checks
Display details for the first user in the workspace:
cnspec> googleworkspace.users[0]{ * }
googleworkspace.users[0]: {
isMailboxSetup: true
familyName: "Smith"
suspensionReason: ""
recoveryEmail: ""
archived: false
aliases: []
isAdmin: false
lastLoginTime: 2023-01-03 20:45:12 +0000 UTC
agreedToTerms: true
suspended: false
isEnrolledIn2Sv: false
fullName: "Alice Smith"
recoveryPhone: ""
primaryEmail: "alice@smith.family"
givenName: "Alice"
id: "1182761XXXXXXXXX"
tokens: [
0: googleworkspace.token displayText="iOS Account Manager"
1: googleworkspace.token displayText="Facetune2"
2: googleworkspace.token displayText="YouTube on TV"
3: googleworkspace.token displayText="Discord"
4: googleworkspace.token displayText="Google Chrome"
5: googleworkspace.token displayText="Epic Games, Inc."
6: googleworkspace.token displayText="the-game-awards"
]
creationTime: 2021-11-30 04:31:25 +0000 UTC
isEnforcedIn2Sv: false
usageReport: googleworkspace.report.usage id = googleworkspace.report.usage/C013XXXXXX/118276124783XXXXXXXXX/2023-01-03
}
Notice that usageReport is listed in this example output. This provides access to several reports with more useful user data that you can also check.
For example, this retrieves the first user in the workspace's account usage data:
cnspec> googleworkspace.users[0].usageReport.account
googleworkspace.users[0].usageReport.account: {
adminSetName: "Alice Smith"
driveUsedQuotaInMb: 231.000000
gmailUsedQuotaInMb: 39.000000
is2SvEnforced: false
isDisabled: false
isLessSecureAppsAccessAllowed: false
isS2SvEnrolled: false
isSuperAdmin: false
passwordLengthCompliance: "COMPLIANT"
passwordStrength: "STRONG"
usedQuotaInMb: 270.000000
}
You can also create checks against the Google Workspace data.
This checks assures all users have passwords that Google considers strong and compliant:
googleworkspace.users{
usageReport.account {
_['passwordStrength'] == "STRONG"
_['passwordLengthCompliance'] == "COMPLIANT"
}
}
Example response data:
googleworkspace.users: [
0: {
usageReport.account: {
[passwordLengthCompliance] == "COMPLIANT": true
[passwordStrength] == "STRONG": true
}
}
1: {
usageReport.account: {
[passwordLengthCompliance] == "COMPLIANT": true
[passwordStrength] == "STRONG": true
}
}
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information, explore the complete Mondoo Google Workspace Resource Pack Reference.