GCP API calls indicating Cloud SQL instance export
Description
AlphaSOC detected an export operation on a Google Cloud SQL database instance. Database exports create copies of data that can be transferred to external locations. Attackers may abuse the export feature to bypass security measures and exfiltrate sensitive information without needing direct database credentials.
Impact
Database exports can result in significant data exfiltration, exposing sensitive business data, customer information, or credentials stored in the database. The exported data may be stored in cloud storage buckets that could have weaker access controls. This technique allows attackers to obtain complete database copies for offline analysis.
Severity
| Severity | Condition |
|---|---|
Low | Cloud SQL instance export by user for first time |
Investigation and Remediation
Review the export operation details including the destination storage location. Verify the identity of the user who initiated the export and confirm the action was authorized. Check the destination bucket's access controls and audit logs for subsequent data access. If unauthorized, delete the exported data, revoke access to the destination, and investigate the user's account for compromise.
Known False Positives
- Scheduled database backup operations
- Data migration or replication processes
- Development teams creating copies for testing environments