GCP API calls indicating GCS bucket modification
Description
AlphaSOC detected modifications to a Google Cloud Storage (GCS) bucket configuration. This includes updates to bucket settings or bucket deletion. Adversaries may modify bucket configurations to weaken security controls, enable unauthorized access, or delete buckets to disrupt operations and destroy evidence.
Impact
Bucket modifications can expose sensitive data by weakening access controls, disable logging to hide malicious activity, or change lifecycle policies to affect data retention. Bucket deletion can result in permanent data loss and service disruption. These actions may be part of data theft, ransomware attacks, or attempts to cover tracks after a compromise.
Severity
| Severity | Condition |
|---|---|
Low | GCS bucket modification by a user for first time |
Investigation and Remediation
Review the specific changes made to the bucket configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Check for changes to access controls, logging settings, lifecycle policies, or encryption configurations. If the modification was unauthorized, restore the original settings, review bucket access logs for suspicious activity, and investigate the user's account for signs of compromise.
Known False Positives
- Routine bucket configuration updates by administrators
- Automated infrastructure management tools
- Lifecycle policy adjustments as part of normal operations