Allowlist and Audit Logs for URLs accessed from Google Apps Script and Google Sheets

What’s changing

We’re introducing a feature that will allow admins to restrict which URLs Apps Scripts and Sheets can source external content from. More specifically, admins can now monitor which URLs are being accessed by referencing new logs that we’re adding to the audit and investigation page. Admins can then create an allowlist that controls which of those URLs they’d like to enable/disable. 
When such an allowlist is specified, users in the organization will only be able to use those allowlisted URLs for both their Apps Scripts and their Sheets IMPORT functions. This allows organizations to more granularly control access in a way that better aligns with a Zero Trust security posture. 

Who’s impacted 

Admins and end users 

Why it’s important 

Data exfiltration is an important security concern for admins, especially when it comes to Apps Scripts and Sheets because certain functions are capable of accessing external data. With this update, admins have more granular control over URLs accessed by users in their organization. 

Getting started 

Admins: Logs can be found under Reporting > Audit and investigation > Drive Log Events OR Security > Security Center > Investigation Tool. The URL allowlists can be found in the Admin console under Apps > Google Workspace > Drive and Docs > Features and Applications > Importing and fetching from URLs. If an allowlist is not established, no URLs will be restricted. Visit the Help Center to learn more about Drive log events. End users: There is no end user setting for this feature. 

Rollout pace 

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on July 31, 2024 

Availability 

Available to all Google Workspace customers 

Resources