Unexpected GCP API calls indicating GCS bucket IAM policy modification
Description
AlphaSOC detected GCP API calls modifying IAM policies on Cloud Storage buckets
through storage.buckets.setIamPolicy actions. While legitimate for access
management, threat actors may exploit compromised credentials to grant
unauthorized access, establish persistence, or prepare for data exfiltration.
Attackers can add permissive roles like roles/storage.objectViewer or
roles/storage.admin, or grant public access via allUsers and
allAuthenticatedUsers. This detection uses anomaly analysis to identify
modifications with unexpected characteristics including unusual actions,
unfamiliar network origins (ASN), uncommon user agents, or unexpected geographic
regions.
Impact
Unauthorized IAM policy modifications compromise bucket security and access
controls. Attackers can grant themselves or external principals access to
sensitive data, enabling exfiltration or intellectual property theft. Adding
overly permissive roles like roles/storage.admin provides full control over
buckets and objects. Making buckets publicly accessible via allUsers or
allAuthenticatedUsers exposes private data to the Internet.
Organizations may face data breaches, compliance violations, and reputational damage. Modified policies enable persistence through added service accounts or external identities that maintain access after initial compromise remediation.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for storage.buckets.setIamPolicy events to identify
affected buckets and policy changes. Analyze new policy bindings to determine
added or removed principals and granted roles, particularly broad permissions
like roles/storage.admin, roles/storage.objectViewer, or assignments to
allUsers and allAuthenticatedUsers. Verify the principal that performed the
modification and check source IP address, user agent, and geographic location
against authorized infrastructure and personnel.
If unauthorized, revert IAM policies using version history or
infrastructure-as-code definitions. Review Cloud Storage access logs for
unauthorized data access after policy modification. Examine other activities by
the same principal for additional unauthorized changes. Disable or revoke
compromised credentials and rotate service account keys. Implement
least-privilege IAM policies restricting storage.buckets.setIamPolicy
permission.
Known False Positives
- Authorized cloud administrators modifying bucket IAM policies for routine access management or security updates
- Migration or onboarding processes granting new users or service accounts access to existing buckets