prowler-cloud/prowler

Add Support for Google Workspace admin settings

Open

#8,266 opened on 2025年7月14日

GitHub で見る
 (3 comments) (3 reactions) (0 assignees)Python (8,957 stars) (1,322 forks)batch import
feature-requesthelp wantedplannedsource/slack

説明

New feature motivation

Google WorkSpace (GWS) comprises cloud-based productivity tools like Gmail, Drive, Docs, Sheets, and Meet, along with administrative features in the Google Admin Console for user and security management.

Integration with GCP is strong, particularly through Cloud Identity, IAM roles, and Admin SDK APIs, focusing on: IAM Role Delegation: Set up GCP service accounts as Workspace admins, assigning roles for permission inheritance.

The Admin Console can also access the Admin SDK Directory API for synchronizing user data. Security Controls: Security settings in the Admin Console include Multi-Factor Authentication, Single Sign-On, and session expiry management.

Google Cloud Identity connects GCP and Workspace for centralized user management, SSO, and MFA enforcement, configurable via the Admin Console or Identity APIs.

The Admin Console allows comprehensive management of Workspace apps, including access control and user governance.

As such, being able to automatically assess the posture of your google workspace settings, whether you are using google cloud, google workspace apps, or both, is of critical importance.

At present, I can't see this capability in CSPM providers. Some SSPM providers do have it (for example Palo Alto and Spin.ai) but they require super admin permissions to do so.

Solution Proposed

Adopt an approach like that which CISA uses in it's assessment tool.

As well as providing a tool, written in GO, to assess the posture of your GCP organisation, they have a provided 2 key capabilities:

  1. A least privilege approach to assessing posture - https://github.com/cisagov/ScubaGoggles/blob/main/docs/prerequisites/Prerequisites.md
  2. A framework with baselines controls for Google Workspace - https://github.com/cisagov/ScubaGoggles/tree/main/scubagoggles/baselines) (Common controls and Groups controls being applicable even if you don't use Google Workspace apps such as Docs, Sheets etc and only use Google Cloud)

Describe alternatives you've considered

Considered:

  1. Palo Alto SaaS Security - https://docs.paloaltonetworks.com/saas-security/sspm/onboard-saas-apps-supported-by-sspm/onboard-a-google-workspace-app-to-sspm
  2. SpinOne - https://spin.ai/help/gworkspace-administration/862389-how-to-resolve-problems-with-insufficient-permissions/

Both of these require that they have super admin privileges. Neither seems to publicly document what controls frameworks/policies are used.

Additional context

No response

コントリビューターガイド

技術スタック
python
領域
securitycloudcli
Issue 種別
feature
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
4
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
over 1 week
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
fresh
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
mostly clear
前提条件
Knowledge of GCP IAMPython developmentFamiliarity with Prowler's architectureUnderstanding of Google Admin SDK
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
30
調査方針
Begin by reviewing the existing GCP provider modules in Prowler (e.g., prowler/providers/gcp/) to understand how assessments are structured. Study the ScubaGoggles repository referenced in the issue to understand the baseline controls and least privilege approach. Then propose a design for integrating Google Workspace admin settings assessment, considering the need for minimal permissions and mapping to existing compliance frameworks.
Add Support for Google Workspace admin settings · prowler-cloud/prowler#8266 | Good First Issue