GCP API calls indicating GCS bucket deletion
Description
AlphaSOC detected deletion of a GCP Cloud Storage bucket via
storage.buckets.delete. Bucket deletion destroys all objects within the
bucket, including data, backups, and application assets.
Adversaries may delete storage buckets as part of data destruction attacks, ransomware operations, or to cover their tracks by removing evidence stored in cloud storage.
Impact
Bucket deletion results in permanent loss of all contained objects if Object Versioning and soft delete are not enabled. Applications depending on the bucket will fail, and critical data including backups, logs, and business data may be permanently lost.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the storage.buckets.delete action. Identify which
bucket was deleted and the principal responsible. Verify if this was an
authorized decommissioning activity.
If unauthorized, attempt recovery through soft delete if available. Investigate the compromised identity for additional destructive activities. Restore data from external backups if possible. Implement bucket lock and retention policies on critical buckets to prevent deletion.