Unexpected GCP API calls indicating GCS bucket permissions modification
Description
AlphaSOC detected modification of IAM permissions on a GCP Cloud Storage bucket
via storage.setIamPermissions. Adversaries may modify bucket permissions to
grant themselves access to sensitive data, enable data exfiltration, or
establish persistent access to storage resources. Permission changes may also be
used to make buckets publicly accessible.
Impact
Unauthorized bucket permission changes can expose sensitive data to attackers or the public. Granting write access enables data tampering or malware injection. Overly permissive IAM policies may violate compliance requirements and enable data breaches.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the storage.setIamPermissions action. Identify what
permissions were changed, which principals were added or removed, and verify if
these changes align with authorized access provisioning.
If unauthorized, immediately revert the IAM policy to remove unauthorized
access. Check if allUsers or allAuthenticatedUsers were added, indicating
public access. Review bucket access logs for data exfiltration during the
exposure period. Rotate credentials for the compromised identity.