GCP API calls indicating Cloud Storage bucket modification
Description
AlphaSOC detected GCP API calls that modify or delete Cloud Storage buckets.
This is identified through the storage.buckets.update and
storage.buckets.delete actions. Threat actors who have compromised GCP
credentials may modify bucket configurations to disable versioning (preventing
object recovery), turn off logging (hiding access patterns), remove lifecycle
rules (causing premature deletion), or delete buckets.
Impact
Manipulating Cloud Storage bucket configurations allows attackers to compromise the integrity and availability of stored data through several destructive actions. Disabling versioning removes the ability to recover from data manipulation or deletion. Modified lifecycle policies can trigger automated deletion of data, destroying backups, application data, or business records. Disabling logging eliminates audit trails that would reveal data manipulation or unauthorized modifications to stored objects. Deleting entire buckets results in data loss that may affect applications, backups, and business operations. Organizations can face service disruptions, compliance violations, or potential financial losses from data destruction and regulatory penalties.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs to identify the bucket modification or deletion event and
examine the request details to determine which bucket was affected and what
configuration changes were made. For storage.buckets.update events, analyze
the updated fields to identify changes to versioning, logging, lifecycle rules,
encryption, or retention policies. For storage.buckets.delete events, confirm
which bucket was removed and assess the data loss scope. Verify the principal
(user account or service account) that performed the modification and check the
source IP address, user agent, and geographic location to confirm whether the
activity originated from authorized infrastructure.
If unauthorized changes were made, immediately revert bucket configurations to
their previous state. Review Cloud Storage access logs to identify whether data
access, modification, or deletion occurred before or after the configuration
changes. Examine other activities performed by the same principal to identify
additional bucket modifications or unauthorized operations. If a bucket was
deleted, attempt to restore it from backups. Disable or revoke credentials for
the compromised principal and rotate service account keys. Implement
least-privilege IAM policies that restrict storage.buckets.update and
storage.buckets.delete permissions to essential administrative roles. Consider
enabling object versioning and retention policies to prevent data loss and
configuring Organization Policy constraints to enforce security controls and
prevent unauthorized bucket deletion.
Known False Positives
- Authorized cloud administrators modifying bucket configurations as part of routine maintenance or security updates
- Migration or decommissioning activities where buckets are legitimately deleted after data archival