Application access to Google services is restricted
security_app_access_restricted
The domain-level API controls configuration restricts third-party app access to at least one Google service. This check verifies that the administrator has configured API access controls rather than leaving all services at the unrestricted default. The CIS benchmark recommends restricting access to all applicable services, particularly high-risk scopes like Drive and Gmail.
Risk
When application access to Google services is unrestricted, any third-party app that users consent to can access sensitive organizational data through Google APIs. This includes apps that may request broad OAuth scopes for Drive, Gmail, and other services, potentially leading to data exfiltration through unvetted applications.
prowler googleworkspace --checks security_app_access_restricted
Recommendation
Restrict application access to Google services to trusted apps only, particularly for high-risk scopes like Drive and Gmail, to prevent unvetted third-party apps from accessing sensitive organizational data.
Remediation
- Sign in to the Google Admin console at https://admin.google.com
- Navigate to Security > Access and Data Control > API Controls
- Click App access control > MANAGE GOOGLE SERVICES
- Select ALL applicable Google Services
- Click Change access
- Select Restricted: Only trusted apps can access a service
- Click Save
Source Code
Resource Type
NotDefined
References
Related To
- security_internal_apps_trusted