GCP Storage Bucket Permissions Modification
Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP)
11storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls
12or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
13"""
14false_positives = [
15 """
16 Storage bucket permissions may be modified by system administrators. Verify that the configuration change was
17 expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20index = ["filebeat-*", "logs-gcp*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "GCP Storage Bucket Permissions Modification"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating GCP Storage Bucket Permissions Modification
30
31Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in the cloud. IAM permissions control access to these buckets, ensuring data security. Adversaries may alter these permissions to bypass security measures, leading to unauthorized data access or exposure. The detection rule identifies successful permission changes, signaling potential misuse or accidental misconfigurations, aiding in timely security audits and responses.
32
33### Possible investigation steps
34
35- Review the event logs for the specific action "storage.setIamPermissions" to identify which IAM permissions were modified and by whom.
36- Check the event.outcome field to confirm the success of the permission change and correlate it with any recent access attempts or data access patterns.
37- Investigate the identity of the user or service account that performed the permission change to determine if it aligns with expected administrative activities.
38- Assess the current IAM policy of the affected storage bucket to understand the new permissions and evaluate any potential security risks or exposure.
39- Cross-reference the timing of the permission change with other security events or alerts to identify any suspicious activity or patterns.
40- Consult with the bucket owner or relevant stakeholders to verify if the permission change was authorized and necessary for operational purposes.
41
42### False positive analysis
43
44- Routine administrative updates to IAM permissions can trigger alerts. To manage this, create exceptions for known maintenance windows or specific administrative accounts that regularly perform these updates.
45- Automated scripts or tools that adjust permissions as part of their normal operation may cause false positives. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
46- Changes made by trusted third-party services integrated with GCP might be flagged. Review and whitelist these services if they are verified and necessary for business operations.
47- Temporary permission changes for troubleshooting or testing purposes can be mistaken for malicious activity. Document and schedule these changes, and exclude them from alerts during the specified timeframes.
48- Permissions modified by cloud management platforms or orchestration tools should be reviewed. If these tools are part of standard operations, consider excluding their actions from the detection rule.
49
50### Response and remediation
51
52- Immediately revoke any unauthorized IAM permissions changes by restoring the previous known good configuration for the affected GCP storage bucket.
53- Conduct a thorough review of the IAM policy change logs to identify the source and nature of the modification, focusing on the user or service account responsible for the change.
54- Isolate the affected storage bucket from external access until the permissions are verified and secured to prevent further unauthorized access.
55- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized changes and the steps taken to mitigate the risk.
56- Implement additional monitoring on the affected storage bucket and related IAM policies to detect any further unauthorized changes or suspicious activities.
57- Review and update IAM policies to ensure the principle of least privilege is enforced, reducing the risk of similar incidents in the future.
58- If the incident is suspected to be part of a larger attack, escalate to incident response teams for a comprehensive investigation and potential involvement of law enforcement if necessary.
59
60## Setup
61
62The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"]
64risk_score = 47
65rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d"
66severity = "medium"
67tags = [
68 "Domain: Cloud",
69 "Data Source: GCP",
70 "Data Source: Google Cloud Platform",
71 "Use Case: Identity and Access Audit",
72 "Tactic: Defense Evasion",
73 "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1222"
87name = "File and Directory Permissions Modification"
88reference = "https://attack.mitre.org/techniques/T1222/"
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Storage Bucket Permissions Modification
Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in the cloud. IAM permissions control access to these buckets, ensuring data security. Adversaries may alter these permissions to bypass security measures, leading to unauthorized data access or exposure. The detection rule identifies successful permission changes, signaling potential misuse or accidental misconfigurations, aiding in timely security audits and responses.
Possible investigation steps
- Review the event logs for the specific action "storage.setIamPermissions" to identify which IAM permissions were modified and by whom.
- Check the event.outcome field to confirm the success of the permission change and correlate it with any recent access attempts or data access patterns.
- Investigate the identity of the user or service account that performed the permission change to determine if it aligns with expected administrative activities.
- Assess the current IAM policy of the affected storage bucket to understand the new permissions and evaluate any potential security risks or exposure.
- Cross-reference the timing of the permission change with other security events or alerts to identify any suspicious activity or patterns.
- Consult with the bucket owner or relevant stakeholders to verify if the permission change was authorized and necessary for operational purposes.
False positive analysis
- Routine administrative updates to IAM permissions can trigger alerts. To manage this, create exceptions for known maintenance windows or specific administrative accounts that regularly perform these updates.
- Automated scripts or tools that adjust permissions as part of their normal operation may cause false positives. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
- Changes made by trusted third-party services integrated with GCP might be flagged. Review and whitelist these services if they are verified and necessary for business operations.
- Temporary permission changes for troubleshooting or testing purposes can be mistaken for malicious activity. Document and schedule these changes, and exclude them from alerts during the specified timeframes.
- Permissions modified by cloud management platforms or orchestration tools should be reviewed. If these tools are part of standard operations, consider excluding their actions from the detection rule.
Response and remediation
- Immediately revoke any unauthorized IAM permissions changes by restoring the previous known good configuration for the affected GCP storage bucket.
- Conduct a thorough review of the IAM policy change logs to identify the source and nature of the modification, focusing on the user or service account responsible for the change.
- Isolate the affected storage bucket from external access until the permissions are verified and secured to prevent further unauthorized access.
- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized changes and the steps taken to mitigate the risk.
- Implement additional monitoring on the affected storage bucket and related IAM policies to detect any further unauthorized changes or suspicious activities.
- Review and update IAM policies to ensure the principle of least privilege is enforced, reducing the risk of similar incidents in the future.
- If the incident is suspected to be part of a larger attack, escalate to incident response teams for a comprehensive investigation and potential involvement of law enforcement if necessary.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Storage Bucket Configuration Modification
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation